throbber
Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 1 of 24
`
`IN THE UNITED STATES DISTRICT COURT
`FOR DISTRICT OF MARYLAND
`SOUTHERN DIVISION
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HADONA DIEP
`18013 Foxworth Court
`Gaithersburg, MD 20874
`
`
`
`Individually, and on behalf of
` similarly-situated persons,
`as Plaintiff,
`
`v.
`
`APPLE, INC.,
`One Apple Park Way
`Cupertino, CA 95014
`
`Case No. 21-2359
`
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
`
`
`Defendant.
`
`
`
` )
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`Plaintiff Hadona Diep, by and through undersigned counsel, and on her own
`
`behalf and on behalf of those similarly situation, for her Class Action Complaint against
`
`Apple, Inc., seeking damages, hereby alleges as follows:
`
`NATURE OF THE CASE
`
`1.
`
`This action is a class-action suit for damages under the federal and state
`
`laws of the United States, seeking legal remedy for the Defendant's breaches of those
`
`same laws, in participating in and or allowing “hacking” and “breach” of financial
`
`account information and actual theft of personal financial assets, by authorizing a
`
`malicious application in the “App Store” and maintaining the same, despite knowledge of
`
`the criminal activity, and the Defendant's further failures to notify Plaintiff and the Class
`
`Members that their financial information had been compromised.
`
`PARTIES
`
`1
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 2 of 24
`
`2.
`
`3.
`
`4.
`
`Plaintiff Hadona Diep is a resident of the State of Maryland.
`
`Defendant Apple, Inc. is a corporation of the State of California.
`
`JURISDICTION AND VENUE
`
`Jurisdiction is proper in the Court as the Plaintiff brings Federal causes of
`
`action pursuant to 18 U.S.C. § 1030(g) and 47 U.S.C. § 230(e)(4). This Court has
`
`supplemental jurisdiction over the State law claims pursuant to 28 U.S.C. § 1367.
`
`5.
`
`Jurisdiction is further proper under the Class Action Fairness Act of 2005,
`
`28 U.S.C. § 1332(d), because, on information and belief, the proposed Class(es) consists
`
`of 100 or more members; the amount in controversy exceeds $5,000,000, exclusive of
`
`costs and interest; and minimal diversity exists.
`
`6.
`
`This Court may exercise personal jurisdiction over the Defendant, who
`
`has availed itself of the jurisdiction of this Court through acts and omissions, including
`
`but not limited to, advertising its services in this District, selling products and services to
`
`consumers in this District, and by otherwise conducting business in this District.
`
`7.
`
`Venue is proper in this forum pursuant to 28 U.S.C. § 1391(b), as the
`
`Plaintiff resides in this judicial district and/or a substantial part of the acts or omissions
`
`giving rise to the claims herein occurred in the same.
`
`GENERAL ALLEGATIONS
`
`Plaintiff uses a computer in interstate commerce.
`
`Plaintiff makes her living as a full-time cyber-security IT professional.
`
`8.
`
`9.
`
`10.
`
`Apple, Inc. (“Apple”) is the largest, or at least one of the largest, mobile
`
`and tablet application providers in the world, through its universally-known “App Store.”
`
`11.
`
`Apple itself describes the App Store to consumers as, for over a decade,
`
`having
`
`2
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 3 of 24
`
`proved to be a safe and trusted place to discover and download
`
`apps. But the App Store is more than just a storefront — it’s an
`
`innovative destination focused on bringing you amazing
`
`experiences. And a big part of those experiences is ensuring that
`
`the apps we offer are held to the highest standards for privacy,
`
`security, and content. Because we offer nearly two million apps —
`
`and we want you to feel good about using every single one of
`
`them.1
`
`12.
`
`Apple controls what applications may be sold or provided to consumers
`
`through the App Store by a rigorous vetting process that involves provision of the
`
`proposed application's purpose and a copy of the application itself and any relevant
`
`source code, users' guides, and software documentation.2
`
`13.
`
`Apple customers in fact have no other practical or convenient manner in
`
`which to download applications for their iPhones or iPads, as Apple maintains rigorous
`
`control over applications that can be placed on their devices.3
`
`14.
`
`The monopolistic App Store therefore generates tens of billions in dollars
`
`of revenue per year for Apple, through Apple's charging of a 70/30 percent split on all
`
`revenue generated through applications downloaded through the App Store, whether
`
`through fees for downloads, subscriptions, in-app purchases, or service fees.4
`
`1 https://www.apple.com/app-store/ (last accessed September 3, 2021 at 5:31PM).
`2 See, e.g., https://developer.apple.com/app-store/review/guidelines/#business (last accessed September 3,
`2021, at 1:27PM EST).
`3 See, e.g., https://www.lifewire.com/get-apps-not-in-app-store-1999916 (last accessed September 3, 2021,
`at 5:31PM).
`4 See, e.g., https://www.cnbc.com/2021/01/08/apples-app-store-had-gross-sales-around-64-billion-in-
`2020.html (last accessed September 3, 2021, at 5:34PM); https://www.marketwatch.com/story/how-
`profitable-is-apples-app-store-even-a-landmark-antitrust-trial-couldnt-tell-us-11622224506; (last accessed
`September 3, 2021, at 5:35PM); https://www.theverge.com/2019/3/20/18273179/apple-icloud-itunes-app-
`store-music-services-businesses (last accessed September 3, 2021, at 5:33PM).
`
`3
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 4 of 24
`
`15.
`
`Furthermore, even when Apple does not directly profit from an
`
`application downloaded from the App Store, drawing consumers to its selling forum, as
`
`opposed to other fora, has considerable business advantage to Apple, as it dissuades
`
`consumers from using other devices.
`
`16.
`
`Because Plaintiff knew, or at least thought she knew, that Apple
`
`thoroughly vets applications before it allowed them on the App Store, Plaintiff
`
`downloaded the application known as Toast Plus from the Apple App Store on or about
`
`March of 2020 onto her iPhone.
`
`17.
`
`Plaintiff believed that Toast Plus was a version of Toast Wallet, a well-
`
`known cryptocurrency wallet, as the names were similar and the logo used for the
`
`application in the App Store was the same or nearly identical.
`
`18.
`
`On or about January 2, 2018, Plaintiff caused approximately 474 Ripple
`
`(“XRP”) cryptocurrency coins to be transferred from the Bittrex cryptocurrency
`
`exchange to a secure cryptocurrency wallet, called Rippex.
`
`19.
`
`Rippex shut down February 2nd, 2018; however, Plaintiff could still
`
`access her coins from any secure wallet. Plaintiff thereafter linked her private XRP key,
`
`or a seed phrase, into Toast Plus in March of 2021.
`
`20.
`
`As Plaintiff intended to hold the XRP as an investment and not to actively
`
`trade it, she did not check the Toast Wallet Plus application after entering her seed phrase
`
`into it.
`
`21.
`
`In August of 2021, Plaintiff checked her account on Toast Plus, and
`
`discovered that not only did she have no XRP in the Wallet, her account was "deleted" on
`
`March 3, 2021.
`
`4
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 5 of 24
`
`22.
`
`Plaintiff thereupon began investigating the matter, and discovered that
`
`Toast Plus was not in fact a version of the legitimate Toast Wallet application, but was
`
`instead a “spoofing” or “phishing” program created for the sole purpose of stealing
`
`cryptocurrency, by obtaining consumers' cryptocurrency account information and
`
`thereafter routing the same to the hackers' personal accounts.
`
`23.
`
`Plaintiff took the following steps to investigate the theft of her property:
`
`contacting or attempting to contact Toast Plus; investigating Toast Plus through online
`
`resources; contacting Apple; contacting the Federal Trade Commission and the Federal
`
`Bureau of Investigations; and identifying co-conspirators involved in the fraudulent acts
`
`through online research.
`
`24.
`
`While the App Store does have terms and conditions, including limitations
`
`on liability, those terms and conditions are the product of adhesion, in that consumers
`
`have no other practical ability to access applications for the iPhones and iPads if they do
`
`not use the App Store; those terms and conditions are therefore not applicable to this
`
`case.
`
`25.
`
`Plaintiff has no power to negotiate any terms whatsoever and no other
`
`source from which to get applications for her Apple products, and or many of the terms
`
`of which are unenforceable as being in violation of public policy.
`
`26.
`
`Furthermore, those contractual terms are expressly exempted when there
`
`are State laws that either forbid such contractual terms or legislation that otherwise
`
`controls the subject matter.
`
`27.
`
`Furthermore, the fact that Toast Plus was not an actual application, but
`
`instead a medium for the commission of fraud, makes any existing contract using it as
`
`5
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 6 of 24
`
`subject matter void, as there was a failure of consideration and or mistake of the same, as
`
`what was requested by Plaintiff and Class Members was not provided by Defendant.
`
`CLASS ACTION ALLEGATIONS
`
`28.
`
`Plaintiff brings this action on behalf of herself and as a class action,
`
`pursuant to the provisions of Federal Rules of Civil Procedure Rules 23(a), (b)(2), and
`
`(b)(3), on behalf of the classes identified herein:
`
`The National Class
`
`All United States persons who downloaded or otherwise used
`
`Toast Plus from the Apple Store within the relevant statutory
`
`period and suffered actual loss of cryptocurrency as a result,
`
`regardless of the amount of lost cryptocurrency.
`
`The Maryland Class
`
`All Maryland residents who downloaded or otherwise used Toast
`
`Plus from the Apple Store within the relevant statutory period and
`
`suffered actual loss of cryptocurrency as a result, regardless of the
`
`amount of lost cryptocurrency.
`
`29.
`
`Excluded from the Class are Defendant and its subsidiaries and related
`
`entities; all persons who make a timely election to be excluded from the Class;
`
`governmental entities; and any judge to whom this case is assigned and his/her
`
`immediate family. Plaintiff reserves the right to revise the Class definition based upon
`
`information learned through discovery.
`
`30.
`
`Certification of Plaintiff’s claims for class-wide treatment is appropriate
`
`because Plaintiff can prove the elements of her claims on a class-wide basis using the
`
`6
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 7 of 24
`
`same evidence as would be used to prove those elements in individual actions alleging
`
`the same claim.
`
`31.
`
`This action has been brought and may be properly maintained on behalf of
`
`the Class proposed herein under Federal Rule of Civil Procedure 23 for the following
`
`reasons:
`
`Numerosity
`
`32.
`
`Pursuant to Federal Rule of Civil Procedure 23(a)(1), the members of the
`
`Classes are so numerous and geographically dispersed that individual joinder of all Class
`
`members is impracticable. While Plaintiff is informed and believes that there are at least
`
`hundreds or thousands of members of the Class, the precise number of Class members in
`
`Maryland and Nationwide is unknown to Plaintiff, but may be ascertained from
`
`Defendant's books and records. Class members may effectively and efficiently be
`
`notified of the pendency of this action by recognized, Court-approved dissemination
`
`methods, which may include U.S. mail, electronic mail, Internet postings, and/or
`
`publication.
`
`Commonality and Predominance
`
`33.
`
`Pursuant to Federal Rule of Civil Procedure 23(a)(2) and 23(b)(3), this
`
`action involves common questions of law and fact, which predominate over any
`
`questions affecting individual Class members, including, without limitation:
`
`a. Whether Defendant engaged in the conduct alleged herein;
`
`b. Whether Defendant's conduct constituted violations of federal and state
`
`computer fraud, wiretap, data privacy, consumer protection, contract, and tort law;
`
`7
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 8 of 24
`
`c. Whether Plaintiff and the other Class members are entitled to damages and
`
`other monetary relief and, if so, in what amount.
`
`Typicality
`
`34.
`
`Plaintiff’s claims are typical of the other Class members’ claims because,
`
`among other things, all Class members were comparably injured through Defendants’
`
`wrongful conduct as described above.
`
`Adequacy
`
`35.
`
`Plaintiff is an adequate Class representative because her interests do not
`
`conflict with the interests of the other members of the Classes she seeks to represent;
`
`Plaintiff has retained experienced counsel competent in complex multi-party and class
`
`action litigation, and Plaintiff intends to prosecute this action vigorously. The Classes’
`
`interests will be fairly and adequately protected by Plaintiff and her counsel.
`
`Superiority
`
`36.
`
`It is well-recognized that class action litigation is superior to any other
`
`available means for the fair and efficient adjudication of this controversy, and no unusual
`
`difficulties are likely to be encountered in the management of this action as a class action.
`
`The damages suffered by Plaintiff and the other Class members are relatively small
`
`compared to the burden and expense that would be required to individually litigate their
`
`claims against Defendant, so it would be impracticable for members of the proposed
`
`Maryland and National Classes to individually seek redress from the courts. Even if the
`
`individual Class members could afford to undertake individual litigation, such individual
`
`claims would overwhelm the court system should they do so. Furthermore, individual
`
`litigation creates potential for inconsistent or contradictory judgments, and increases
`
`8
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 9 of 24
`
`delay and expense to the parties and to the court system. A class action in this matter
`
`would present fewer administrative difficulties, would be more efficient, and would
`
`enhance the interests of consistent and fair justice in this matter.
`
`COUNT I
`Violations of the Computer Fraud and Abuse Act,
`18 U.S.C § 1030, et seq.
`(on behalf of Plaintiff and the all Classes)
`
`37.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`38.
`
`Plaintiff’s (and each Class Members') computer is a “protected
`
`computer . . . which is used in interstate commerce and/or communication” within the
`
`meaning of 18 U.S.C. § 1030(e)(2)(B).
`
`39.
`
`The application Toast Plus's sole purpose is to entice consumers to divulge
`
`their cryptocurrency account information, by mimicking an established cryptocurrency
`
`wallet in name, mark, and design, thereby allowing hackers to steal that cryptocurrency.
`
`40.
`
`The Defendant, having examined the application Toast Plus prior to
`
`authorizing it for distribution on the App Store, knew its purpose.
`
`41.
`
`To the extent that Defendant did not know the true purpose of Toast Plus
`
`prior to its authorization for distribution on the App Store, Defendant came to know its
`
`true purpose prior to the Plaintiff and the Class Members downloading Toast Plus.
`
`42.
`
`By allowing the application Toast Plus to be distributed on the App Store,
`
`Defendant violated the Computer Fraud and Abuse Act, in that Defendant
`
`● intentionally accessed or caused Plaintiff's and Class Members computer(s) to be
`
`accessed without authorization or exceeded authorized access, through that Toast
`
`9
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 10 of 24
`
`Plus application, and thereby obtained information from those protected
`
`computer(s); and or
`
`● knowingly and with intent to defraud, accessed or caused Plaintiff's and Class
`
`Members computer(s), a protected computer, to be accessed, without
`
`authorization, and or exceeded authorized access, through the Toast Plus
`
`application, and by means of such conduct furthers the intended fraud and
`
`obtained something of value, to wit, Plaintiff's cryptocurrency, and or
`
`● intentionally accessed or caused Plaintiff's and Class Members computer(s), a
`
`protected computer, to be accessed, without authorization, and as a result of such
`
`conduct, caused damage and loss, and or
`
`● conspired with others to commit or attempt to commit those acts.
`
`43.
`
`These acts and omissions occurred within two years of the date of this
`
`filing, or two years of the date of Plaintiff's discovery of the same.
`
`44.
`
`Plaintiff personally has suffered more than $5,000 in direct consequential
`
`economic damages as a result of Defendant's acts and omissions, in that she lost
`
`cryptocurrency of value, and has spent her time investigating the source and method of
`
`the fraud, determining who was responsible, contacting law enforcement agencies, and
`
`communicating with Defendant to attempt to investigate and remediate the fraud, to no
`
`avail, and conferring with legal counsel on the fraud and any remedies.
`
`45.
`
`Therefore, Plaintiff requests entry of judgment in her and the Classes'
`
`favor against Defendant for violations of the CFAA, in the amount of $5,000, or actual
`
`damages, to be demonstrated at trial.
`
`10
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 11 of 24
`
`COUNT II
`Violations of the Electronic Communications Privacy Act,
`18 U.S.C. § 2510, et seq.
`(on behalf of Plaintiff and all Classes)
`
`46.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`47.
`
`The Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510
`
`(“ECPA”), regulates wire and electronic communications interception and interception of
`
`oral communications, and makes it unlawful for a person to “willfully intercept [],
`
`endeavor [] to intercept, or procure . . . any other person to intercept or endeavor to
`
`intercept any wire, oral, or electronic communication,” within the meaning of 18 U.S.C.
`
`§ 2511(1).
`
`48.
`
`By intentionally allowing the application Toast Plus distributed through
`
`the App Store, Defendant violated 18 U.S.C. § 2511 by intentionally acquiring and/or
`
`intercepting, by device or otherwise, Plaintiff and Class members’ electronic
`
`communications, without knowledge, consent, or authorization.
`
`49.
`
`The contents of data transmissions from and to Plaintiff and Class
`
`Members’ personal computers constitute “electronic communications” within the
`
`meaning of 18 U.S.C. § 2510.
`
`50.
`
`Plaintiff and Class Members each individually qualify as a “person
`
`whose . . . electronic communication is intercepted . . . or intentionally used in violation
`
`of this chapter” under 18 U.S.C. § 2520.
`
`51.
`
`Through the Toast Plus application, Defendant violated 18 U.S.C. §
`
`2511(1)(a) by intentionally intercepting, endeavoring to intercept, or procuring any other
`
`11
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 12 of 24
`
`person to intercept or endeavor to intercept Plaintiff’s and Class Members' electronic
`
`communications.
`
`52.
`
`Defendant further violated 18 U.S.C. 2511(1)(c) by intentionally
`
`disclosing, or endeavoring to disclose, to any other person, the contents of Plaintiff’s
`
`electronic communications, knowing or having reason to know that the information was
`
`obtained through the interception of Plaintiff’s electronic communications.
`
`53.
`
`Defendant further violated 18 U.S.C. § 2511(1)(d) by intentionally using
`
`or endeavoring to use, the contents of Plaintiff’s electronic communications, knowing of
`
`having reason to know that the information obtained through the interception of
`
`Plaintiff’s electronic communications.
`
`54.
`
`Defendant’s intentional interception of these electronic communications
`
`was without Plaintiff's or the Class Members’ knowledge, consent, or authorization.
`
`55.
`
`Defendant's actions further have no legal justification exempting it from
`
`liability.
`
`56.
`
`Defendant intentionally used such electronic communications, with
`
`knowledge, or having reason to know, that the electronic communications were obtained
`
`through interception, for an unlawful purpose.
`
`57.
`
`Defendant unlawfully accessed and used, and voluntarily disclosed, the
`
`contents of the intercepted communications to enhance their profitability and revenue.
`
`58.
`
`59.
`
`Defendant is liable directly and/or vicariously for this cause of action.
`
`Plaintiff therefore seeks full legal and equitable remedy under the EPCA,
`
`including such preliminary and other equitable or declaratory relief as may be
`
`appropriate, for damages consistent with subsection (c) of that section to be proven at
`
`12
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 13 of 24
`
`trial, punitive damages to be proven at trial, reasonable attorney’s fees, and other
`
`litigation costs incurred.
`
`60.
`
`Plaintiff and Class Members have suffered direct loss by reason of these
`
`violations, including, without limitation, loss of present day value of cryptocurrency, loss
`
`of investment value of the same, loss of time in investigating the conduct, and violations
`
`of the right of privacy.
`
`61.
`
`Plaintiff and the Class Members are entitled to statutory damages of the
`
`greater of $10,000 or $100 per day for each day of violation, actual and punitive
`
`damages, reasonable attorneys’ fees, and Defendant’s profits obtained from the above
`
`described violations.
`
`62.
`
`Furthermore, unless restrained and enjoined, Defendant will continue to
`
`commit such acts. Plaintiff’s remedy at law is not adequate to compensate it for these
`
`inflicted and threatened injuries, entitling Plaintiff to remedies including injunctive relief
`
`as provided by 18 U.S.C. 2510. Plaintiff therefore requests that Defendant be enjoined
`
`and restrained from distributing such “phishing” or “spoofing” applications in the App
`
`Store, and that this Court retain jurisdiction over this matter to monitor compliance with
`
`such an order.
`
`COUNT III
`Interception of Electronic Communications in
`Violation of Md. Code Ann., Wiretap & Electronic Surveillance Act § 10-402(a)(1)
`(on behalf of Plaintiff and the Maryland Class)
`
`63.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`13
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 14 of 24
`
`64.
`
`In relevant part, Maryland Code Wiretap and Electronic Surveillance Act
`
`§ 10-402(a) (2006) provides that it is unlawful for any person to:
`
`● (1) Wilfully intercept, endeavor to intercept, or procure any other person to
`intercept or endeavor to intercept, any wire, oral, or electronic communication;
`
`● (2) Wilfully disclose, or endeavor to disclose, to any other person the contents of
`any wire, oral, or electronic communication, knowing or having reason to know
`that the information was obtained through the interception of a wire, oral, or
`electronic communication in violation of this subtitle. . . .
`
`65.
`
`Maryland Code § 10-401(3) (2006) provides that “intercept” means “the
`
`aural or other acquisition of the contents of any wire, electronic, or oral communication
`
`through the use of any electronic, mechanical, or other device.”
`
`66.
`
`Maryland Code § 10-401(7) (2006) provides that “Contents”, when used
`
`with respect to any wire, oral, or electronic communication, includes any information
`
`concerning the identity of the parties to the communication or the existence, substance,
`
`purport, or meaning of that communication.”
`
`67.
`
`68.
`
`Defendant is a “person” with the meaning of Maryland Code § 10-402.
`
`On information and belief, Defendant willfully intercepted, and or
`
`endeavored to intercept, and or procured others to intercept or endeavor to intercept the
`
`“contents” of Plaintiffs’ and Maryland Class Members' internet communications, related
`
`records, subscriber identity, or other information, without authorization, in clear violation
`
`of Maryland Code, § 10-402(a)(1), by causing the “phishing” application Toast Plus to be
`
`published and distributed to Plaintiff and the Maryland Class Members.
`
`69.
`
`Plaintiffs and the Maryland Class members have been and are aggrieved
`
`by Defendant’s above-described willful activity, including loss of present day value of
`
`14
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 15 of 24
`
`cryptocurrency, loss of investment value of the same, loss of time in investigating the
`
`conduct, and violations of the right of privacy.
`
`70.
`
`Pursuant to Md. Code Ann. § 10-410, which provides a civil action for
`
`Defendant’s above-described willful activity, Plaintiff demands monetary damages of
`
`$100 a day for each violation or $1,000, whichever is higher, for Plaintiff and each
`
`Maryland Class member; punitive damages as the Court considers just; and reasonable
`
`attorneys’ fees and other litigation costs reasonably incurred.
`
`71.
`
`Furthermore, unless restrained and enjoined, Defendant will continue to
`
`commit such acts. Plaintiff’s remedy at law is not adequate to compensate it for these
`
`inflicted and threatened injuries, entitling Plaintiff to remedies including injunctive relief
`
`as provided Maryland Code § 10-410. Plaintiff therefore requests that Defendant be
`
`enjoined and restrained from distributing such “phishing” or “spoofing” applications in
`
`the App Store, and that this Court retain jurisdiction over this matter to monitor
`
`compliance with such an order.
`
`COUNT IV
`Disclosure of Electronic Communications in
`Violation of Md. Code Ann., Wiretap & Electronic Surveillance Act § 10-402(a)(2)(on
`behalf of Plaintiff and the Maryland Class)
`
`72.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`73.
`
`74.
`
`Defendant is a “person” with the meaning of Md. Code Ann. § 10-402.
`
`On information and belief, Defendant willfully disclosed, and or
`
`endeavored to disclose, and or procured others to disclose or endeavor to disclose the
`
`“contents” of Plaintiffs’ and Statewide class members’ telephone and or internet
`
`communications, related records, subscriber identity, or other information, without
`
`15
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 16 of 24
`
`authorization, in clear violation of Md. Code Ann., § 10-402(a)(2), by causing the
`
`“phishing” or “spoofing” application Toast Plus to be published and distributed to
`
`Plaintiff and the Class Members.
`
`75.
`
`On information and belief, there is a strong likelihood that Defendant is
`
`now engaging in and will continue to engage in the above-described willful activity in
`
`clear violation of Md. Code Ann. § 10-402(a)(2), and that likelihood represents a credible
`
`threat of immediate future harm.
`
`76.
`
`Plaintiffs and Maryland Class members have been and are aggrieved by
`
`Defendant’s above-described willful activity.
`
`77.
`
`Pursuant to Md. Code Ann. § 10-410, which provides a civil action for
`
`Defendant’s above-described willful activity, Plaintiff demands monetary damages of
`
`$100 a day for each violation or $1,000, whichever is higher, for Plaintiff and each
`
`Maryland Class member; punitive damages as the Court considers just; and reasonable
`
`attorneys’ fees and other litigation costs reasonably incurred.
`
`78.
`
`Furthermore, unless restrained and enjoined, Defendant will continue to
`
`commit such acts. Plaintiff’s remedy at law is not adequate to compensate it for these
`
`inflicted and threatened injuries, entitling Plaintiff to remedies including injunctive relief
`
`as provided Maryland Code § 10-410. Plaintiff therefore requests that Defendant be
`
`enjoined and restrained from distributing such “phishing” or “spoofing” applications in
`
`the App Store, and that this Court retain jurisdiction over this matter to monitor
`
`compliance with such an order.
`
`16
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 17 of 24
`
`COUNT V
`Violation(s) of the Maryland Personal Information Protection Act
`Md. Ann. Code, Commercial Law, § 14-3501, et seq.
`(on behalf of Plaintiff and the Maryland Class)
`
`79.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`80.
`
`81.
`
`Plaintiff resides in Maryland.
`
`Defendant is a business that owns Personal Information of the Plaintiff
`
`and the Class Members residing in the State.
`
`82.
`
`The application Toast Plus is a “phishing” or “spoofing” application, one
`
`whose only purpose is to intercept financial information that was intended for another,
`
`legitimate recipient.
`
`83.
`
`Defendant came to know of this illegitimate nature of the Toast Plus
`
`application some time before Plaintiff became aware of her loss of private data.
`
`84.
`
`This security breach included information that is considered Personal
`
`Information under the “Maryland Personal Information Protection Act,” Maryland Code,
`
`Commercial Law, § 14-3501, et seq. (“PIPA”), in that it included “Financial
`
`Information” and or “Personal Information,” as defined therein and or by reference.
`
`85.
`
`On information and belief, Plaintiff's and Class Member's Personal
`
`Information was taken as a result of the distribution of the Toast Plus application.
`
`86.
`
`The servers and network connections in which the data breach occurred
`
`was controlled by Defendant.
`
`87.
`
`Defendant failed to “implement and maintain reasonable security
`
`procedures and practices that are appropriate to the nature of the personal information
`
`17
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 18 of 24
`
`owned or licensed and the nature and size of the business and its operations,” which was
`
`the direct cause of the data breach.
`
`88.
`
`89.
`
`This failure constitutes a violation of PIPA.
`
`The Defendant further failed to properly notify Plaintiff and the Class
`
`Members of the unauthorized access of their Personal Information, as required by PIPA,
`
`in that no notice was given whatsoever.
`
`90.
`
`91.
`
`That notification failure constitutes a violation of PIPA
`
`Each of the Defendant's failures under PIPA constitute violations of
`
`Maryland Code Annotated, Commercial Law, Title 13, the “Consumer Protection Act”
`
`(“MCPA”).
`
`92.
`
`Plaintiff therefore claims statutory damages for herself and the Maryland
`
`Class Members, pursuant to Maryland Code Annotated, Commercial Law, Title 13, for
`
`each and every violation of the same.
`
`93.
`
`Plaintiff further claims attorney’s fees and costs of suit, as authorized
`
`under the MCPA.
`
`COUNT VI
`Violation(s) of Each State's Personal Information Protection Acts
`(on behalf of all Classes)
`
`94.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`95.
`
`Each and every State of the United States has a personal data and or
`
`privacy breach statute.
`
`18
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 19 of 24
`
`96.
`
`Defendant is a business that owns Personal Information of the Class
`
`Members residing in each State.
`
`97.
`
`The application Toast Plus is a “phishing” or “spoofing” application, one
`
`whose only purpose is to intercept financial information that was intended for another,
`
`legitimate recipient.
`
`98.
`
`Defendant came to know of this illegitimate nature of the Toast Plus
`
`application some time before the Class Members became aware of their loss of private
`
`data.
`
`99.
`
`This security breach included information that is considered Personal
`
`Information under each of the State's data breach protection laws, in that it included
`
`“Financial Information” and or “Personal Information,” as defined therein and or by
`
`reference.
`
`100.
`
`On information and belief, Plaintiff's and Class Member's Personal
`
`Information was taken as a result of the distribution of the Toast Plus application.
`
`101.
`
`The servers and network connections in which the data breach occurred
`
`was controlled by Defendant.
`
`102.
`
`Defendant failed to implement and maintain reasonable security
`
`procedures and practices that are appropriate to the nature of the personal information
`
`owned or licensed and the nature and size of the business and its operations, which was
`
`the direct cause of the data breach.
`
`103.
`
`This failure constitutes a violation of each State's data breach protection
`
`laws.
`
`19
`
`

`

`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 20 of 24
`
`104.
`
`The Defendant further failed to properly notify Plaintiff and the Class
`
`Members of the unauthorized access of their Personal Information,

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket