`
`DISTRICT OF NEVADA
`
`
`
`TANASI LAW OFFICES
`Richard Tanasi, Esq.
`
`8716 W. Spanish Ridge Ave. Suite 105
`Las Vegas, NV 89148
`Telephone: 702-906-2411
`Facsimile: 866-299-4274
`rtanasi@tanasilaw.com
`
`MORGAN & MORGAN COMPLEX
`LITGATION GROUP
`John A. Yanchunis (pro hac vice to be submitted)
`Jean S. Martin (pro hac vice to be submitted)
`Marcio Valladares (pro hac vice to be submitted)
`201 N. Franklin Street, 7th Floor
`Tampa, FL 33602
`Telephone: (813) 223-5505
`Facsimile: (813) 223-5402
`jyanchunis@forthepeople.com
`jeanmartin@forthepeople.com
`mvalladares@forthepeople.com
`
`LAW OFFICE OF PAUL C. WHALEN, P.C.
`Paul C. Whalen (pro hac vice to be submitted)
`768 Plandome Road
`Manhasset, NY 11030
`Telephone: (516) 426-6870
`paul@paulwhalen.com
`
`Additional Counsel Listed On Signature Page
`
`UNITED STATES DISTRICT COURT
`
`
`
`
`JOHN SMALLMAN, ON BEHALF OF
`HIMSELF AND ALL OTHERS
`SIMILARLY SITUATED,
`
`
`
`
`CASE NO.:
`
`CLASS ACTION
`
`COMPLAINT FOR DAMAGES,
`EQUITABLE, DECLARATORY AND
`INJUNCTIVE RELIEF
`
`JURY DEMAND
`
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`MGM RESORTS INTERNATIONAL,
`
`
`
`
`
`
`
` Defendant.
`
`
`
`
`
`
`
`
`
`1
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 2 of 30
`
`
`
`
`
`brings this class action lawsuit against MGM Resorts International (“Defendant,” or “MGM”), on
`
`Plaintiff John Smallman (“Plaintiff”), individually, by and through the undersigned counsel,
`
`behalf of himself and all others similarly situated, and allege, based upon information and belief and
`
`the investigation of his counsel as follows:
`
`INTRODUCTION
`MGM Resorts International is a global hospitality and entertainment company
`1.
`operating destination resorts throughout the world. Millions of people stay in MGM Resort
`properties every year, and in so doing provide MGM with a host of their personally identifiable
`information (“PII”).1
`In late 2019, MGM revealed that earlier in the summer an unauthorized individual
`2.
`accessed MGM’s computer network system, downloaded customer data and then posted part of the
`data on a closed internet forum (“Data Breach”).
`The PII exposed in the Data Breach included, among other things: customer names,
`3.
`addresses, driver’s license numbers, passport numbers, military identification numbers, phone
`numbers, emails and dates of birth.
`MGM has indicated that, on or about September 5, 2019, it notified affected
`4.
`customers that their PII had been exfiltrated, but assured them that “there is no evidence that your
`information has been misused.” Seeking to avoid additional negative publicity on the heels of the
`mass shooting that occurred 8 months earlier, MGM avoided bringing the matter to public light,
`hoping that the Breach and its inadequate cyber security practices would go unnoticed.
`
`
`1 Personally identifiable information generally incorporates information that can be used to
`distinguish or trace an individual's identity, either alone or when combined with other personal or
`identifying information 2 CFR § 200.79. At a minimum, it includes all information that on its face
`expressly identifies an individual. PII also is generally defined to include certain identifiers that do
`not on their face name an individual, but that are considered to be particularly sensitive and/or
`valuable if in the wrong hands (for example, Social Security number, passport number, driver’s
`license number, financial account number).
`
`
`
`
`
`
`
`2
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 3 of 30
`
`
`
`Unfortunately, the miscreants that took and/or acquired the sensitive PII had other
`5.
`
`plans, and on February 19, 2020, internet technology publication ZDNet revealed that the personally
`identifiable information of more than 10.6 million MGM hotel guests had been posted on a popular
`internet hacking forum, available for misuse by a host of bad actors.
`MGM acknowledged that the exposed PII was a result of the Data Breach that
`6.
`occurred in the summer of 2019.
`The Data Breach was a direct result of Defendant’s failure to implement adequate and
`7.
`reasonable cyber-security procedures and protocols necessary to protect customer PII.
`Defendant disregarded the rights of Plaintiff and Class Members (defined below) by,
`8.
`inter alia, intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable
`measures to ensure its data systems were protected against unauthorized intrusions; failing to
`disclose that it did not have adequately robust computer systems and security practices to safeguard
`customer PII; failing to take standard and reasonably available steps to prevent the Data Breach;
`failing to monitor and timely detect the Data Breach; and failing to provide Plaintiff and Class
`Members prompt and accurate notice of the Data Breach.
`As a result of Defendant’s failure to implement and follow basic security procedures,
`9.
`MGM customer PII is now in the hands of thieves. Plaintiff and Class Members have had to spend,
`and will continue to spend, significant amounts of time and money in an effort to protect themselves
`from the adverse ramifications of the Data Breach, and will forever be at a heightened risk of
`identity theft and fraud.
`Plaintiff, on behalf of all others similarly situated, alleges claims for negligence,
`10.
`breach of implied contract, unjust enrichment, breach of confidence and violation of the Nevada
`Consumer Fraud Act and seeks to compel Defendant to adopt reasonably sufficient security practices
`to safeguard customer PII that remains in its custody in order to prevent incidents like the Data
`Breach from reoccurring in the future.
`
`
`
`
`
`
`
`
`3
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 4 of 30
`
`
`
`
`
`PARTIES
`Plaintiff John Smallman is a resident of California and an MGM customer. Over the
`11.
`last 10 years, Plaintiff Smallman has stayed at the Luxor, giving copies his driver’s license, as well
`as payment card and other PII. During his visits to Las Vegas, Plaintiff Smallman also used his
`payment cards at Bellagio.
`Plaintiff suffered actual injury from having their PII stolen as a result of the Data
`12.
`Breach including, but not limited to: (a) paying monies to MGM for its goods and services which
`they would not have had if MGM disclosed that it lacked data security practices adequate to
`safeguard consumers’ PII from theft; (b) damages to and diminution in the value of their PII—a form
`of intangible property that the Plaintiff entrusted to MGM as a condition of receiving MGM
`services; (c) loss of their privacy; (d) imminent and impending injury arising from the increased risk
`of fraud and identity theft.
`As a result of the Data Breach, Plaintiff will continue to be at heightened risk for
`13.
`financial fraud and identity theft, and their attendant damages for years to come.
`Defendant MGM Resorts International is a Delaware corporation headquartered at
`14.
`3600 Las Vegas Blvd South Las Vegas, NV 89109. It is a global hospitality and entertainment
`company operating destination resorts throughout the world.
`
`
`JURISDICTION AND VENUE
`This Court has subject matter jurisdiction over this action under the Class Action
`15.
`Fairness Act, 28 U.S.C. § 1332(d)(2). The amount in controversy exceeds $5 million, exclusive of
`interest and costs. There are more than 10 million putative class members, many of whom have
`different citizenship from MGM.
`This Court has jurisdiction over the Defendant which operates in this District, and the
`16.
`computer systems implicated in this Data Breach are likely based in this District.
`Through its business operations in this District, MGM intentionally avails itself of the
`17.
`markets within this District to render the exercise of jurisdiction by this Court just and proper.
`
`
`
`
`
`
`
`4
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 5 of 30
`
`
`
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391(a)(1) because a substantial
`18.
`
`part of the events giving rise to this action occurred in this District. MGM is based in this District,
`maintains customer PII in the District and has caused harm to Plaintiff and Class members residing
`in this District.
`
`
`STATEMENT OF FACTS
`
`A. The MGM Data Breach
`On or about July 7, 2019, an unauthorized individual gained access to MGM Resorts
`19.
`International’s computer network system, exfiltrated customer data, and then disclosed a subset of
`that data on a closed internet forum.
`The data consisted of a treasure trove of MGM customer PII including: names,
`20.
`addresses, driver’s license numbers, passport numbers, military identification numbers, phone
`numbers, emails and dates of birth.
`Although the PII was subsequently removed from the closed internet site, in mid-
`21.
`February 2020 the seemingly full set of data containing the PII of more than 10.6 million MGM
`guests was published on a well-known hacking forum, visible to any number of dark web
`miscreants.
`Internet security specialists recognized that the PII leaked in the Data Breach presents
`22.
`“a treasure trove” of contact details on customers, many of whom will now “face a higher risk of
`receiving spear-phishing emails, and being SIM swapped.”2 “The fact that the breach happened
`about seven months ago without any public disclosure may have led MGM to believe the data was
`
`
`2 ZDNet, Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum, February
`19, 2020, https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-
`posted-on-a-hacking-forum/
`
`
`
`
`
`
`
`5
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 6 of 30
`
`
`
`not going to be used by the thieves, but as with many breaches malicious actors sometimes wait
`
`months or years to tip their hand” presenting an ongoing problem for affected users.3
`On or about September 5, 2019, MGM notified affected customers and various
`23.
`governmental agencies of the Data Breach, but otherwise kept news of the breach quiet. The Notice
`of Data Incident (“Notice”) stated in relevant part.
`Notice of Data Incident
`
`
`What Happened
`
`On or about July 7, 2019, an individual accessed MGM Resorts
`International’s computer network system without permission. The
`individual downloaded partial customer data from MGM’s computer
`systems, then posted and disclosed part of the data on a closed internet
`forum. No customer financial information, passwords or credit cards were
`part of the data in question and it was taken down and removed from the
`closed internet site.
`
`What Information Was Involved
`
`MGM immediately initiated an internal forensic investigation into this
`incident. MGM conducted an exhaustive investigation and search of the
`downloaded data from the closed internet site. On August 9, 2019, MGM
`determined your First Name, Last Name, and Driver’s License Number
`were part of the compromised file. Again, no financial information,
`passwords or credit cards were included in the database.
`
`What We Are Doing
`We take the security of our customers’ data seriously, and after MGM
`became aware of the event, we took immediate measures to investigate
`and remediate the incident. We have implemented additional safeguards to
`improve further data security related to external software incidents.
`Furthermore, MGM reported the incident to law enforcement immediately
`once MGM discovered the matter. In addition, we are offering identity
`theft protection services through ID Experts®, the data incident and
`recovery services expert, to provide you with MyIDCare™. MyIDCare
`services include: 12 months of credit and CyberScan monitoring, a
`$1,000,000 insurance reimbursement policy, and fully managed ID theft
`
`
`3 SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
`customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
`data-breach-affecting-10-6-million-customers/
`
`
`
`
`
`
`
`6
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 7 of 30
`
`recovery services. With this protection, MyIDCare will help you resolve
`issues if your identity is compromised.
`
`
`What You Can Do
`We encourage you to contact ID Experts with any questions and to enroll
`in free MyIDCare services by calling 833-959- 1344 or going to
`https://ide.myidcare.com/mgmri and using the Enrollment Code provided
`above.
`
`
`***
`Again, at this time, there is no evidence that your information has been
`misused. However, we encourage you to take full advantage of this service
`offering. MyIDCare representatives have been fully versed on the incident
`and can answer questions or concerns you may have regarding protection
`of your personal information.4
`
`
`
`
`B. MGM Privacy Policies
`24. MGM maintains a Privacy Policy wherein it details the PII it collects from customers
`and promises to maintain the security and integrity of such data.
`MGM RESORTS PRIVACY POLICY5
`MGM Resorts International values your patronage and respects your privacy. This Privacy
`Policy ("Policy") describes the information collection, use, protection, and sharing practices
`of MGM Resorts International and MGM Resorts International web sites, mobile
`applications, electronic communications, and properties
`
`We collect information from a variety of sources and in a variety of ways, including the
`following:
`
`Personal Information. When you visit, use, and/or access MGM Resorts or MGM Online
`Services, you may provide us with (and/or we may collect) information by which you can be
`personally identified including your name, date of birth, postal address, e-mail address, and
`telephone number, and videos, recordings, and images of you (“Personal Information”). We
`may also obtain Personal Information from third parties.
`
`Sensitive Information. When you make a purchase, visit, use and/or access MGM Resorts
`or MGM Online Services, or engage in other transactions or activities, you may provide us
`with sensitive Personal Information including your credit or debit card number, financial
`
`
`4 Exhibit A.
`
`5 https://www.mgmresorts.com/en/privacy-policy.html
`
`
`
`
`
`
`
`7
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 8 of 30
`
`account number, biometrics, medical/health-related information, driver’s license number,
`government-issued identification card number, social security number, passport number, or
`naturalization number (“Sensitive Information”).
`
`SECURITY
`
`Information maintained in electronic form that is collected by MGM Resorts International
`and any individual MGM Resort is stored on systems protected by industry standard security
`measures. These security measures are intended to protect these systems from unauthorized
`access. No security system is impenetrable and these systems could become accessible in the
`event of a security breach. We have controls in place that are designed to detect potential
`data breaches, contain and minimize the loss of data, and conduct forensic investigations of a
`breach.
`
`Our staff is required to take reasonable measures to ensure that unauthorized persons cannot
`view or access your Personal Information. Employees who violate our internal privacy
`policies are subject to disciplinary action, up to and including termination of employment.
`
`
`
`
`
`
`
`Although MGM claims to employ “industry standard security measures,” this
`25.
`representation, along with the promise to maintain the integrity of customer PII was belied by its
`failure to impose and maintain the necessary safeguards that would have prevented the Data Breach.
`C. Prevalence of Cyber Attacks and Susceptibility of the Hotel Industry
`In 2016, the number of U.S. data breaches surpassed 1,000, a record high and a forty
`26.
`percent increase in the number of data breaches from the previous year.6 In 2017 a new record high
`of 1,579 breaches were reported representing a 44.7 percent increase over 2016.7 The number of
`yearly data breaches have remained steady with 1,473 breaches reported in 2019.8
`
`
`6 Identity Theft Resource Center, Data Breaches Increase 40 Percent in 2016, Finds New Report
`From Identity Theft Resource Center and CyberScout (Jan. 19, 2017), available at
`https://www.idtheftcenter.org/surveys-studys.
`
`7 Identity Theft Resource Center, 2017 Annual Data Breach Year-End Review, available at
`https://www.idtheftcenter.org/2017-data-breaches/.
`
`8 Identity Theft Resource Center, 2019 End -of-Year Data Breach Report. Available at
`https://www.idtheftcenter.org/2019-data-
`breaches/?utm_source=web&utm_medium=sitewidenotice&utm_campaign=01282020_2019DataBr
`eachReport
`
`
`
`
`
`
`
`8
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 9 of 30
`
`
`
`The type of PII collected by companies by hotels makes this sector particularly to
`27.
`
`cyber-attack. Trustwave’s "2018 Global Security Report" lists hospitality as one of the top three
`industries most vulnerable to payment card breaches while other estimates project that hotels are the
`unwelcome recipients of around 20 percent of all cyberattacks.9 Indeed, in recent years, Marriott
`Hilton, Hyatt, and Trump hotels have all been cited for large-scale data negligence over the past few
`years. “Such unfortunate trends should not come as much of a surprise since hotels are hotbeds of
`sensitive information. Their data is spread out across porous digital systems and their sales are
`usually conducted through weak point-of-sale systems.” Id.
`“While hospitality companies have fewer transactions than retail organizations — and
`28.
`thus have data on fewer customers to steal — they collect substantially more valuable and varied
`personal data for each of their guests…. This rich personal data is invaluable to cybercriminals. They
`can use this data to better impersonate each breached customer, leading to additional identity theft
`and social engineering attacks against each individual’s company. By enabling further attacks,
`breaching a hotel provides cybercriminals much more value than breaching a company in almost any
`other industry.”10
`
`
`D. MGM Acquires, Collects, and Stores Plaintiff’s and Class Members’ PII
`As its Privacy Policy makes clear, MGM acquires, collects, and stores a massive
`29.
`amount of personally identifiable information on its customers.
`As a condition of staying at its hotel properties, MGM requires that its customers
`30.
`entrust it with highly sensitive personal information.
`
`
`9 Hotel management, Why cybersecurity matters, https://www.hotelmanagement.net/tech/why-
`cybersecurity-matters
`
`10 Cybersecurity in Hospitality: An Unsolvable Problem?, Paladion Networks,
`https://www.paladion.net/cybersecurity-in-hospitality-an-unsolvable-problem
`
`
`
`
`
`
`
`9
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 10 of 30
`
`
`
`By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class
`31.
`
`Members’ PII, MGM assumed legal and equitable duties and knew or should have known that it was
`responsible for protecting Plaintiff’s and Class Members’ PII from disclosure.
`Plaintiff and the Class Members have taken reasonable steps to maintain the
`32.
`confidentiality of their PII.
`Plaintiff and the Class Members relied on MGM to keep their PII confidential and
`33.
`securely maintained, to use this information for business purposes only, and to make only authorized
`disclosures of this information.
`
`
`E. The Value of Personally Identifiable Information and the Effects of Unauthorized
`Disclosure
`
`34. MGM was well-aware that the PII it collects is highly sensitive, and of significant
`value to those who would use it for wrongful purposes.
`Personally identifiable information is a valuable commodity to identity thieves. As
`35.
`the FTC recognizes, with PII identity thieves can commit an array of crimes including identify theft,
`medical and financial fraud.11 Indeed, a robust “cyber black market” exists in which criminals
`openly post stolen PII on multiple underground Internet websites.
`The ramifications of the MGM’s failure to keep its customers’ PII secure are long
`36.
`lasting and severe. Once PII is stolen, fraudulent use of that information and damage to victims may
`continue for years.
`“The fact that the breach happened about seven months ago without any public
`37.
`disclosure may have led MGM to believe the data was not going to be used by the thieves, but as
`with many breaches malicious actors sometimes wait months or years to tip their hand. This is a
`great example of how these breaches and their fallout can continue to haunt businesses for quite
`
`
`11 Federal Trade Commission, Warning Signs of Identity Theft,
`https://www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft
`
`
`
`
`
`
`
`10
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 11 of 30
`
`
`
`some time. It’s likely MGM thought this incident was far in the rear view, but the value of their
`
`particular dataset continues to have appeal….”12
`At all relevant times, MGM knew, or reasonably should have known, of the
`38.
`importance of safeguarding PII and of the foreseeable consequences if its data security systems were
`breached, including, the significant costs that would be imposed on customers as a result of a breach.
`
`F. MGM Fails to Comply with FTC Guidelines
`The Federal Trade Commission (“FTC”) has promulgated numerous guides for
`39.
`businesses which highlight the importance of implementing reasonable data security practices.
`According to the FTC, the need for data security should be factored into all business decision-
`making.13
`In 2016, the FTC updated its publication, Protecting Personal Information: A Guide
`40.
`for Business, which established cyber-security guidelines for businesses.14 The guidelines note that
`businesses should protect the personal customer information that they keep; properly dispose of
`personal information that is no longer needed; encrypt information stored on computer networks;
`understand their network’s vulnerabilities; and implement policies to correct any security problems.
`The guidelines also recommend that businesses use an intrusion detection system to expose a breach
`as soon as it occurs; monitor all incoming traffic for activity indicating someone is attempting to
`hack the system; watch for large amounts of data being transmitted from the system; and have a
`response plan ready in the event of a breach.
`
`
`12 SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
`customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
`data-breach-affecting-10-6-million-customers/
`
`13 Federal Trade Commission, Start With Security, available at
`https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
`14 Federal Trade Commission, Protecting Personal Information: A Guide for Business, available at
`https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-
`information.pdf.
`
`
`
`
`
`
`
`11
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 12 of 30
`
`
`
`The FTC further recommends that companies not maintain PII longer than is needed
`41.
`
`for authorization of a transaction; limit access to sensitive data; require complex passwords to be
`used on networks; use industry-tested methods for security; monitor for suspicious activity on the
`network; and verify that third-party service providers have implemented reasonable security
`measures.15
`The FTC has brought enforcement actions against businesses for failing to adequately
`42.
`and reasonably protect customer data, treating the failure to employ reasonable and appropriate
`measures to protect against unauthorized access to confidential consumer data as an unfair act or
`practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45.
`Orders resulting from these actions further clarify the measures businesses must take to meet their
`data security obligations.
`43. MGM failed to properly implement basic data security practices. MGM’s failure to
`employ reasonable and appropriate measures to protect against unauthorized access to customer PII
`constitutes an unfair act or practice prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`44. MGM was at all times fully aware of its obligation to protect the PII of customers
`because of its position as a trusted healthcare provider. MGM was also aware of the significant
`repercussions that would result from its failure to do so.
`G. MGM Fails to Comply with Industry Standards
`Cyber security firms have routinely identified the hotel sector as one being
`45.
`particularly vulnerable to cyber-attacks because the of value of the PII which they maintain. These
`firms have promulgated a series of best practices that a minimum should be implemented by sector
`participants including, but not limited to: installing appropriate malware detection software;
`monitoring and limiting the network ports; protecting web browsers and email management systems;
`setting up network systems such as firewalls, switches and routers; monitoring and protection of
`
`
`15 FTC, Start With Security, supra note 19.
`
`
`
`
`
`
`
`12
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 13 of 30
`
`
`
`physical security systems; protection against any possible communication system; training hotel staff
`
`regarding critical points.16
` MGM acknowledged the Data Breach was through a cloud server exposure.
`46.
`Although it did not state how or why the cloud server was exposed, “this could have easily been
`caused from poor cloud configuration and security hygiene….17
`H. Plaintiff and Class Members Suffered Damages
`The ramifications of Defendant’s failure to keep Customers’ PII secure are long
`47.
`lasting and severe. Once PII is stolen, fraudulent use of that information and damage to victims may
`continue for years. Consumer victims of data breaches are more likely to become victims of identity
`fraud.18
`The PII belonging to Plaintiff and Class Members is private, sensitive in nature, and
`48.
`was left inadequately protected by Defendant who did not obtain Plaintiff’s or Class Members’
`consent to disclose such PII to any other person as required by applicable law and industry
`standards.
`The Data Breach was a direct and proximate result of MGM’s failure to: (a) properly
`49.
`safeguard and protect Plaintiff’s and Class Members’ PII from unauthorized access, use, and
`disclosure, as required by various state and federal regulations, industry practices, and common law;
`(b) establish and implement appropriate administrative, technical, and physical safeguards to ensure
`the security and confidentiality of Plaintiff’s and Class Members’ PII; and (c) protect against
`reasonably foreseeable threats to the security or integrity of such information.
`
`
`16 https://opendatasecurity.io/how-to-work-on-hotel-cyber-security/
`
`17 SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
`customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
`data-breach-affecting-10-6-million-customers/
`
`18 2014 LexisNexis True Cost of Fraud Study,
`https://www.lexisnexis.com/risk/downloads/assets/true-cost-fraud-2014.pdf.
`
`
`
`
`
`
`
`13
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 14 of 30
`
`
`
`Defendant is a multi-billion-dollar company and had the resources necessary to
`50.
`
`prevent the Breach, but neglected to adequately invest in data security measures, despite its
`obligation to protect customer data.
`Had Defendant remedied the deficiencies in its data security systems and adopted
`51.
`security measures recommended by experts in the field, it would have prevented the intrusions into
`their systems and, ultimately, the theft of PII.
`As a direct and proximate result of Defendant’s wrongful actions and inactions,
`52.
`Plaintiff and Class Members have been placed at an imminent, immediate, and continuing increased
`risk of harm from identity theft and fraud, requiring them to take the time which they otherwise
`would have dedicated to other life demands such as work and family in an effort to mitigate the
`actual and potential impact of the Data Breach on their lives. The U.S. Department of Justice’s
`Bureau of Justice Statistics found that “among victims who had personal information used for
`fraudulent purposes, 29% spent a month or more resolving problems” and that “resolving the
`problems caused by identity theft [could] take more than a year for some victims.”19
`To date, MGM has merely offered 12 months of identity monitoring services at no
`53.
`charge.20 The offer, however, is wholly inadequate as it fails to provide for the fact that victims of
`data breaches and other unauthorized disclosures commonly face multiple years of ongoing identity
`theft and it entirely fails to provide any compensation for the unauthorized release and disclosure of
`Plaintiff’s and Class Members’ PII.
`Furthermore, Defendant’s credit monitoring offer to Plaintiff and Class Members
`54.
`squarely places the burden on Plaintiff and Class Members, rather than on the Defendant, to
`investigate and protect themselves from Defendant’s tortious acts resulting in the Data Breach.
`Rather than automatically enrolling Plaintiff and Class Members in credit monitoring services upon
`
`19 U.S. Department of Justice, Office of Justice Programs Bureau of Justice Statistics, Victims of
`Identity Theft, 2012, December 2013 available at https://www.bjs.gov/content/pub/pdf/vit12.pdf (last
`visited April 19,2019).
`
`20 Exhibit A.
`
`
`
`
`
`
`
`14
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 15 of 30
`
`
`
`discovery of the breach, Defendant merely sent instructions “offering” the services to affected
`
`customers recommending they sign up for the services.
`As a result of the Defendant’s failures to prevent the Data Breach, Plaintiff and Class
`55.
`Members have suffered, will suffer, or are at increased risk of suffering:
`a. The compromise, publication, theft and/or unauthorized use of their PII;
`b. Out-of-pocket costs associated with the prevention, detection, recovery and
`remediation from identity theft or fraud;
`c. Lost opportunity costs and lost wages associated with efforts expended and
`the loss of productivity from addressing and attempting to mitigate the actual
`and future consequences of the Data Breach, including but not limited to
`efforts spent researching how to prevent, detect, contest and recover from
`identity theft and fraud;
`d. The continued risk to their PII, which remains in t