throbber
Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 1 of 30
`
`DISTRICT OF NEVADA
`
`
`
`TANASI LAW OFFICES
`Richard Tanasi, Esq.
`
`8716 W. Spanish Ridge Ave. Suite 105
`Las Vegas, NV 89148
`Telephone: 702-906-2411
`Facsimile: 866-299-4274
`rtanasi@tanasilaw.com
`
`MORGAN & MORGAN COMPLEX
`LITGATION GROUP
`John A. Yanchunis (pro hac vice to be submitted)
`Jean S. Martin (pro hac vice to be submitted)
`Marcio Valladares (pro hac vice to be submitted)
`201 N. Franklin Street, 7th Floor
`Tampa, FL 33602
`Telephone: (813) 223-5505
`Facsimile: (813) 223-5402
`jyanchunis@forthepeople.com
`jeanmartin@forthepeople.com
`mvalladares@forthepeople.com
`
`LAW OFFICE OF PAUL C. WHALEN, P.C.
`Paul C. Whalen (pro hac vice to be submitted)
`768 Plandome Road
`Manhasset, NY 11030
`Telephone: (516) 426-6870
`paul@paulwhalen.com
`
`Additional Counsel Listed On Signature Page
`
`UNITED STATES DISTRICT COURT
`
`
`
`
`JOHN SMALLMAN, ON BEHALF OF
`HIMSELF AND ALL OTHERS
`SIMILARLY SITUATED,
`
`
`
`
`CASE NO.:
`
`CLASS ACTION
`
`COMPLAINT FOR DAMAGES,
`EQUITABLE, DECLARATORY AND
`INJUNCTIVE RELIEF
`
`JURY DEMAND
`
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`MGM RESORTS INTERNATIONAL,
`
`
`
`
`
`
`
` Defendant.
`
`
`
`
`
`
`
`
`
`1
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 2 of 30
`
`
`
`
`
`brings this class action lawsuit against MGM Resorts International (“Defendant,” or “MGM”), on
`
`Plaintiff John Smallman (“Plaintiff”), individually, by and through the undersigned counsel,
`
`behalf of himself and all others similarly situated, and allege, based upon information and belief and
`
`the investigation of his counsel as follows:
`
`INTRODUCTION
`MGM Resorts International is a global hospitality and entertainment company
`1.
`operating destination resorts throughout the world. Millions of people stay in MGM Resort
`properties every year, and in so doing provide MGM with a host of their personally identifiable
`information (“PII”).1
`In late 2019, MGM revealed that earlier in the summer an unauthorized individual
`2.
`accessed MGM’s computer network system, downloaded customer data and then posted part of the
`data on a closed internet forum (“Data Breach”).
`The PII exposed in the Data Breach included, among other things: customer names,
`3.
`addresses, driver’s license numbers, passport numbers, military identification numbers, phone
`numbers, emails and dates of birth.
`MGM has indicated that, on or about September 5, 2019, it notified affected
`4.
`customers that their PII had been exfiltrated, but assured them that “there is no evidence that your
`information has been misused.” Seeking to avoid additional negative publicity on the heels of the
`mass shooting that occurred 8 months earlier, MGM avoided bringing the matter to public light,
`hoping that the Breach and its inadequate cyber security practices would go unnoticed.
`
`
`1 Personally identifiable information generally incorporates information that can be used to
`distinguish or trace an individual's identity, either alone or when combined with other personal or
`identifying information 2 CFR § 200.79. At a minimum, it includes all information that on its face
`expressly identifies an individual. PII also is generally defined to include certain identifiers that do
`not on their face name an individual, but that are considered to be particularly sensitive and/or
`valuable if in the wrong hands (for example, Social Security number, passport number, driver’s
`license number, financial account number).
`
`
`
`
`
`
`
`2
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 3 of 30
`
`
`
`Unfortunately, the miscreants that took and/or acquired the sensitive PII had other
`5.
`
`plans, and on February 19, 2020, internet technology publication ZDNet revealed that the personally
`identifiable information of more than 10.6 million MGM hotel guests had been posted on a popular
`internet hacking forum, available for misuse by a host of bad actors.
`MGM acknowledged that the exposed PII was a result of the Data Breach that
`6.
`occurred in the summer of 2019.
`The Data Breach was a direct result of Defendant’s failure to implement adequate and
`7.
`reasonable cyber-security procedures and protocols necessary to protect customer PII.
`Defendant disregarded the rights of Plaintiff and Class Members (defined below) by,
`8.
`inter alia, intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable
`measures to ensure its data systems were protected against unauthorized intrusions; failing to
`disclose that it did not have adequately robust computer systems and security practices to safeguard
`customer PII; failing to take standard and reasonably available steps to prevent the Data Breach;
`failing to monitor and timely detect the Data Breach; and failing to provide Plaintiff and Class
`Members prompt and accurate notice of the Data Breach.
`As a result of Defendant’s failure to implement and follow basic security procedures,
`9.
`MGM customer PII is now in the hands of thieves. Plaintiff and Class Members have had to spend,
`and will continue to spend, significant amounts of time and money in an effort to protect themselves
`from the adverse ramifications of the Data Breach, and will forever be at a heightened risk of
`identity theft and fraud.
`Plaintiff, on behalf of all others similarly situated, alleges claims for negligence,
`10.
`breach of implied contract, unjust enrichment, breach of confidence and violation of the Nevada
`Consumer Fraud Act and seeks to compel Defendant to adopt reasonably sufficient security practices
`to safeguard customer PII that remains in its custody in order to prevent incidents like the Data
`Breach from reoccurring in the future.
`
`
`
`
`
`
`
`
`3
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 4 of 30
`
`
`
`
`
`PARTIES
`Plaintiff John Smallman is a resident of California and an MGM customer. Over the
`11.
`last 10 years, Plaintiff Smallman has stayed at the Luxor, giving copies his driver’s license, as well
`as payment card and other PII. During his visits to Las Vegas, Plaintiff Smallman also used his
`payment cards at Bellagio.
`Plaintiff suffered actual injury from having their PII stolen as a result of the Data
`12.
`Breach including, but not limited to: (a) paying monies to MGM for its goods and services which
`they would not have had if MGM disclosed that it lacked data security practices adequate to
`safeguard consumers’ PII from theft; (b) damages to and diminution in the value of their PII—a form
`of intangible property that the Plaintiff entrusted to MGM as a condition of receiving MGM
`services; (c) loss of their privacy; (d) imminent and impending injury arising from the increased risk
`of fraud and identity theft.
`As a result of the Data Breach, Plaintiff will continue to be at heightened risk for
`13.
`financial fraud and identity theft, and their attendant damages for years to come.
`Defendant MGM Resorts International is a Delaware corporation headquartered at
`14.
`3600 Las Vegas Blvd South Las Vegas, NV 89109. It is a global hospitality and entertainment
`company operating destination resorts throughout the world.
`
`
`JURISDICTION AND VENUE
`This Court has subject matter jurisdiction over this action under the Class Action
`15.
`Fairness Act, 28 U.S.C. § 1332(d)(2). The amount in controversy exceeds $5 million, exclusive of
`interest and costs. There are more than 10 million putative class members, many of whom have
`different citizenship from MGM.
`This Court has jurisdiction over the Defendant which operates in this District, and the
`16.
`computer systems implicated in this Data Breach are likely based in this District.
`Through its business operations in this District, MGM intentionally avails itself of the
`17.
`markets within this District to render the exercise of jurisdiction by this Court just and proper.
`
`
`
`
`
`
`
`4
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 5 of 30
`
`
`
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391(a)(1) because a substantial
`18.
`
`part of the events giving rise to this action occurred in this District. MGM is based in this District,
`maintains customer PII in the District and has caused harm to Plaintiff and Class members residing
`in this District.
`
`
`STATEMENT OF FACTS
`
`A. The MGM Data Breach
`On or about July 7, 2019, an unauthorized individual gained access to MGM Resorts
`19.
`International’s computer network system, exfiltrated customer data, and then disclosed a subset of
`that data on a closed internet forum.
`The data consisted of a treasure trove of MGM customer PII including: names,
`20.
`addresses, driver’s license numbers, passport numbers, military identification numbers, phone
`numbers, emails and dates of birth.
`Although the PII was subsequently removed from the closed internet site, in mid-
`21.
`February 2020 the seemingly full set of data containing the PII of more than 10.6 million MGM
`guests was published on a well-known hacking forum, visible to any number of dark web
`miscreants.
`Internet security specialists recognized that the PII leaked in the Data Breach presents
`22.
`“a treasure trove” of contact details on customers, many of whom will now “face a higher risk of
`receiving spear-phishing emails, and being SIM swapped.”2 “The fact that the breach happened
`about seven months ago without any public disclosure may have led MGM to believe the data was
`
`
`2 ZDNet, Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum, February
`19, 2020, https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-
`posted-on-a-hacking-forum/
`
`
`
`
`
`
`
`5
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 6 of 30
`
`
`
`not going to be used by the thieves, but as with many breaches malicious actors sometimes wait
`
`months or years to tip their hand” presenting an ongoing problem for affected users.3
`On or about September 5, 2019, MGM notified affected customers and various
`23.
`governmental agencies of the Data Breach, but otherwise kept news of the breach quiet. The Notice
`of Data Incident (“Notice”) stated in relevant part.
`Notice of Data Incident
`
`
`What Happened
`
`On or about July 7, 2019, an individual accessed MGM Resorts
`International’s computer network system without permission. The
`individual downloaded partial customer data from MGM’s computer
`systems, then posted and disclosed part of the data on a closed internet
`forum. No customer financial information, passwords or credit cards were
`part of the data in question and it was taken down and removed from the
`closed internet site.
`
`What Information Was Involved
`
`MGM immediately initiated an internal forensic investigation into this
`incident. MGM conducted an exhaustive investigation and search of the
`downloaded data from the closed internet site. On August 9, 2019, MGM
`determined your First Name, Last Name, and Driver’s License Number
`were part of the compromised file. Again, no financial information,
`passwords or credit cards were included in the database.
`
`What We Are Doing
`We take the security of our customers’ data seriously, and after MGM
`became aware of the event, we took immediate measures to investigate
`and remediate the incident. We have implemented additional safeguards to
`improve further data security related to external software incidents.
`Furthermore, MGM reported the incident to law enforcement immediately
`once MGM discovered the matter. In addition, we are offering identity
`theft protection services through ID Experts®, the data incident and
`recovery services expert, to provide you with MyIDCare™. MyIDCare
`services include: 12 months of credit and CyberScan monitoring, a
`$1,000,000 insurance reimbursement policy, and fully managed ID theft
`
`
`3 SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
`customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
`data-breach-affecting-10-6-million-customers/
`
`
`
`
`
`
`
`6
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`
`
`
`
`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 7 of 30
`
`recovery services. With this protection, MyIDCare will help you resolve
`issues if your identity is compromised.
`
`
`What You Can Do
`We encourage you to contact ID Experts with any questions and to enroll
`in free MyIDCare services by calling 833-959- 1344 or going to
`https://ide.myidcare.com/mgmri and using the Enrollment Code provided
`above.
`
`
`***
`Again, at this time, there is no evidence that your information has been
`misused. However, we encourage you to take full advantage of this service
`offering. MyIDCare representatives have been fully versed on the incident
`and can answer questions or concerns you may have regarding protection
`of your personal information.4
`
`
`
`
`B. MGM Privacy Policies
`24. MGM maintains a Privacy Policy wherein it details the PII it collects from customers
`and promises to maintain the security and integrity of such data.
`MGM RESORTS PRIVACY POLICY5
`MGM Resorts International values your patronage and respects your privacy. This Privacy
`Policy ("Policy") describes the information collection, use, protection, and sharing practices
`of MGM Resorts International and MGM Resorts International web sites, mobile
`applications, electronic communications, and properties
`
`We collect information from a variety of sources and in a variety of ways, including the
`following:
`
`Personal Information. When you visit, use, and/or access MGM Resorts or MGM Online
`Services, you may provide us with (and/or we may collect) information by which you can be
`personally identified including your name, date of birth, postal address, e-mail address, and
`telephone number, and videos, recordings, and images of you (“Personal Information”). We
`may also obtain Personal Information from third parties.
`
`Sensitive Information. When you make a purchase, visit, use and/or access MGM Resorts
`or MGM Online Services, or engage in other transactions or activities, you may provide us
`with sensitive Personal Information including your credit or debit card number, financial
`
`
`4 Exhibit A.
`
`5 https://www.mgmresorts.com/en/privacy-policy.html
`
`
`
`
`
`
`
`7
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 8 of 30
`
`account number, biometrics, medical/health-related information, driver’s license number,
`government-issued identification card number, social security number, passport number, or
`naturalization number (“Sensitive Information”).
`
`SECURITY
`
`Information maintained in electronic form that is collected by MGM Resorts International
`and any individual MGM Resort is stored on systems protected by industry standard security
`measures. These security measures are intended to protect these systems from unauthorized
`access. No security system is impenetrable and these systems could become accessible in the
`event of a security breach. We have controls in place that are designed to detect potential
`data breaches, contain and minimize the loss of data, and conduct forensic investigations of a
`breach.
`
`Our staff is required to take reasonable measures to ensure that unauthorized persons cannot
`view or access your Personal Information. Employees who violate our internal privacy
`policies are subject to disciplinary action, up to and including termination of employment.
`
`
`
`
`
`
`
`Although MGM claims to employ “industry standard security measures,” this
`25.
`representation, along with the promise to maintain the integrity of customer PII was belied by its
`failure to impose and maintain the necessary safeguards that would have prevented the Data Breach.
`C. Prevalence of Cyber Attacks and Susceptibility of the Hotel Industry
`In 2016, the number of U.S. data breaches surpassed 1,000, a record high and a forty
`26.
`percent increase in the number of data breaches from the previous year.6 In 2017 a new record high
`of 1,579 breaches were reported representing a 44.7 percent increase over 2016.7 The number of
`yearly data breaches have remained steady with 1,473 breaches reported in 2019.8
`
`
`6 Identity Theft Resource Center, Data Breaches Increase 40 Percent in 2016, Finds New Report
`From Identity Theft Resource Center and CyberScout (Jan. 19, 2017), available at
`https://www.idtheftcenter.org/surveys-studys.
`
`7 Identity Theft Resource Center, 2017 Annual Data Breach Year-End Review, available at
`https://www.idtheftcenter.org/2017-data-breaches/.
`
`8 Identity Theft Resource Center, 2019 End -of-Year Data Breach Report. Available at
`https://www.idtheftcenter.org/2019-data-
`breaches/?utm_source=web&utm_medium=sitewidenotice&utm_campaign=01282020_2019DataBr
`eachReport
`
`
`
`
`
`
`
`8
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 9 of 30
`
`
`
`The type of PII collected by companies by hotels makes this sector particularly to
`27.
`
`cyber-attack. Trustwave’s "2018 Global Security Report" lists hospitality as one of the top three
`industries most vulnerable to payment card breaches while other estimates project that hotels are the
`unwelcome recipients of around 20 percent of all cyberattacks.9 Indeed, in recent years, Marriott
`Hilton, Hyatt, and Trump hotels have all been cited for large-scale data negligence over the past few
`years. “Such unfortunate trends should not come as much of a surprise since hotels are hotbeds of
`sensitive information. Their data is spread out across porous digital systems and their sales are
`usually conducted through weak point-of-sale systems.” Id.
`“While hospitality companies have fewer transactions than retail organizations — and
`28.
`thus have data on fewer customers to steal — they collect substantially more valuable and varied
`personal data for each of their guests…. This rich personal data is invaluable to cybercriminals. They
`can use this data to better impersonate each breached customer, leading to additional identity theft
`and social engineering attacks against each individual’s company. By enabling further attacks,
`breaching a hotel provides cybercriminals much more value than breaching a company in almost any
`other industry.”10
`
`
`D. MGM Acquires, Collects, and Stores Plaintiff’s and Class Members’ PII
`As its Privacy Policy makes clear, MGM acquires, collects, and stores a massive
`29.
`amount of personally identifiable information on its customers.
`As a condition of staying at its hotel properties, MGM requires that its customers
`30.
`entrust it with highly sensitive personal information.
`
`
`9 Hotel management, Why cybersecurity matters, https://www.hotelmanagement.net/tech/why-
`cybersecurity-matters
`
`10 Cybersecurity in Hospitality: An Unsolvable Problem?, Paladion Networks,
`https://www.paladion.net/cybersecurity-in-hospitality-an-unsolvable-problem
`
`
`
`
`
`
`
`9
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 10 of 30
`
`
`
`By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class
`31.
`
`Members’ PII, MGM assumed legal and equitable duties and knew or should have known that it was
`responsible for protecting Plaintiff’s and Class Members’ PII from disclosure.
`Plaintiff and the Class Members have taken reasonable steps to maintain the
`32.
`confidentiality of their PII.
`Plaintiff and the Class Members relied on MGM to keep their PII confidential and
`33.
`securely maintained, to use this information for business purposes only, and to make only authorized
`disclosures of this information.
`
`
`E. The Value of Personally Identifiable Information and the Effects of Unauthorized
`Disclosure
`
`34. MGM was well-aware that the PII it collects is highly sensitive, and of significant
`value to those who would use it for wrongful purposes.
`Personally identifiable information is a valuable commodity to identity thieves. As
`35.
`the FTC recognizes, with PII identity thieves can commit an array of crimes including identify theft,
`medical and financial fraud.11 Indeed, a robust “cyber black market” exists in which criminals
`openly post stolen PII on multiple underground Internet websites.
`The ramifications of the MGM’s failure to keep its customers’ PII secure are long
`36.
`lasting and severe. Once PII is stolen, fraudulent use of that information and damage to victims may
`continue for years.
`“The fact that the breach happened about seven months ago without any public
`37.
`disclosure may have led MGM to believe the data was not going to be used by the thieves, but as
`with many breaches malicious actors sometimes wait months or years to tip their hand. This is a
`great example of how these breaches and their fallout can continue to haunt businesses for quite
`
`
`11 Federal Trade Commission, Warning Signs of Identity Theft,
`https://www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft
`
`
`
`
`
`
`
`10
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 11 of 30
`
`
`
`some time. It’s likely MGM thought this incident was far in the rear view, but the value of their
`
`particular dataset continues to have appeal….”12
`At all relevant times, MGM knew, or reasonably should have known, of the
`38.
`importance of safeguarding PII and of the foreseeable consequences if its data security systems were
`breached, including, the significant costs that would be imposed on customers as a result of a breach.
`
`F. MGM Fails to Comply with FTC Guidelines
`The Federal Trade Commission (“FTC”) has promulgated numerous guides for
`39.
`businesses which highlight the importance of implementing reasonable data security practices.
`According to the FTC, the need for data security should be factored into all business decision-
`making.13
`In 2016, the FTC updated its publication, Protecting Personal Information: A Guide
`40.
`for Business, which established cyber-security guidelines for businesses.14 The guidelines note that
`businesses should protect the personal customer information that they keep; properly dispose of
`personal information that is no longer needed; encrypt information stored on computer networks;
`understand their network’s vulnerabilities; and implement policies to correct any security problems.
`The guidelines also recommend that businesses use an intrusion detection system to expose a breach
`as soon as it occurs; monitor all incoming traffic for activity indicating someone is attempting to
`hack the system; watch for large amounts of data being transmitted from the system; and have a
`response plan ready in the event of a breach.
`
`
`12 SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
`customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
`data-breach-affecting-10-6-million-customers/
`
`13 Federal Trade Commission, Start With Security, available at
`https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
`14 Federal Trade Commission, Protecting Personal Information: A Guide for Business, available at
`https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-
`information.pdf.
`
`
`
`
`
`
`
`11
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 12 of 30
`
`
`
`The FTC further recommends that companies not maintain PII longer than is needed
`41.
`
`for authorization of a transaction; limit access to sensitive data; require complex passwords to be
`used on networks; use industry-tested methods for security; monitor for suspicious activity on the
`network; and verify that third-party service providers have implemented reasonable security
`measures.15
`The FTC has brought enforcement actions against businesses for failing to adequately
`42.
`and reasonably protect customer data, treating the failure to employ reasonable and appropriate
`measures to protect against unauthorized access to confidential consumer data as an unfair act or
`practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45.
`Orders resulting from these actions further clarify the measures businesses must take to meet their
`data security obligations.
`43. MGM failed to properly implement basic data security practices. MGM’s failure to
`employ reasonable and appropriate measures to protect against unauthorized access to customer PII
`constitutes an unfair act or practice prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`44. MGM was at all times fully aware of its obligation to protect the PII of customers
`because of its position as a trusted healthcare provider. MGM was also aware of the significant
`repercussions that would result from its failure to do so.
`G. MGM Fails to Comply with Industry Standards
`Cyber security firms have routinely identified the hotel sector as one being
`45.
`particularly vulnerable to cyber-attacks because the of value of the PII which they maintain. These
`firms have promulgated a series of best practices that a minimum should be implemented by sector
`participants including, but not limited to: installing appropriate malware detection software;
`monitoring and limiting the network ports; protecting web browsers and email management systems;
`setting up network systems such as firewalls, switches and routers; monitoring and protection of
`
`
`15 FTC, Start With Security, supra note 19.
`
`
`
`
`
`
`
`12
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 13 of 30
`
`
`
`physical security systems; protection against any possible communication system; training hotel staff
`
`regarding critical points.16
` MGM acknowledged the Data Breach was through a cloud server exposure.
`46.
`Although it did not state how or why the cloud server was exposed, “this could have easily been
`caused from poor cloud configuration and security hygiene….17
`H. Plaintiff and Class Members Suffered Damages
`The ramifications of Defendant’s failure to keep Customers’ PII secure are long
`47.
`lasting and severe. Once PII is stolen, fraudulent use of that information and damage to victims may
`continue for years. Consumer victims of data breaches are more likely to become victims of identity
`fraud.18
`The PII belonging to Plaintiff and Class Members is private, sensitive in nature, and
`48.
`was left inadequately protected by Defendant who did not obtain Plaintiff’s or Class Members’
`consent to disclose such PII to any other person as required by applicable law and industry
`standards.
`The Data Breach was a direct and proximate result of MGM’s failure to: (a) properly
`49.
`safeguard and protect Plaintiff’s and Class Members’ PII from unauthorized access, use, and
`disclosure, as required by various state and federal regulations, industry practices, and common law;
`(b) establish and implement appropriate administrative, technical, and physical safeguards to ensure
`the security and confidentiality of Plaintiff’s and Class Members’ PII; and (c) protect against
`reasonably foreseeable threats to the security or integrity of such information.
`
`
`16 https://opendatasecurity.io/how-to-work-on-hotel-cyber-security/
`
`17 SC Magazine, February 20, 2020, MGM admits to 2019 data breach affecting 10.6 million
`customers, https://www.scmagazine.com/home/security-news/data-breach/mgm-admits-to-2019-
`data-breach-affecting-10-6-million-customers/
`
`18 2014 LexisNexis True Cost of Fraud Study,
`https://www.lexisnexis.com/risk/downloads/assets/true-cost-fraud-2014.pdf.
`
`
`
`
`
`
`
`13
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 14 of 30
`
`
`
`Defendant is a multi-billion-dollar company and had the resources necessary to
`50.
`
`prevent the Breach, but neglected to adequately invest in data security measures, despite its
`obligation to protect customer data.
`Had Defendant remedied the deficiencies in its data security systems and adopted
`51.
`security measures recommended by experts in the field, it would have prevented the intrusions into
`their systems and, ultimately, the theft of PII.
`As a direct and proximate result of Defendant’s wrongful actions and inactions,
`52.
`Plaintiff and Class Members have been placed at an imminent, immediate, and continuing increased
`risk of harm from identity theft and fraud, requiring them to take the time which they otherwise
`would have dedicated to other life demands such as work and family in an effort to mitigate the
`actual and potential impact of the Data Breach on their lives. The U.S. Department of Justice’s
`Bureau of Justice Statistics found that “among victims who had personal information used for
`fraudulent purposes, 29% spent a month or more resolving problems” and that “resolving the
`problems caused by identity theft [could] take more than a year for some victims.”19
`To date, MGM has merely offered 12 months of identity monitoring services at no
`53.
`charge.20 The offer, however, is wholly inadequate as it fails to provide for the fact that victims of
`data breaches and other unauthorized disclosures commonly face multiple years of ongoing identity
`theft and it entirely fails to provide any compensation for the unauthorized release and disclosure of
`Plaintiff’s and Class Members’ PII.
`Furthermore, Defendant’s credit monitoring offer to Plaintiff and Class Members
`54.
`squarely places the burden on Plaintiff and Class Members, rather than on the Defendant, to
`investigate and protect themselves from Defendant’s tortious acts resulting in the Data Breach.
`Rather than automatically enrolling Plaintiff and Class Members in credit monitoring services upon
`
`19 U.S. Department of Justice, Office of Justice Programs Bureau of Justice Statistics, Victims of
`Identity Theft, 2012, December 2013 available at https://www.bjs.gov/content/pub/pdf/vit12.pdf (last
`visited April 19,2019).
`
`20 Exhibit A.
`
`
`
`
`
`
`
`14
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`

`

`Case 2:20-cv-00376-JAD-NJK Document 8 Filed 02/24/20 Page 15 of 30
`
`
`
`discovery of the breach, Defendant merely sent instructions “offering” the services to affected
`
`customers recommending they sign up for the services.
`As a result of the Defendant’s failures to prevent the Data Breach, Plaintiff and Class
`55.
`Members have suffered, will suffer, or are at increased risk of suffering:
`a. The compromise, publication, theft and/or unauthorized use of their PII;
`b. Out-of-pocket costs associated with the prevention, detection, recovery and
`remediation from identity theft or fraud;
`c. Lost opportunity costs and lost wages associated with efforts expended and
`the loss of productivity from addressing and attempting to mitigate the actual
`and future consequences of the Data Breach, including but not limited to
`efforts spent researching how to prevent, detect, contest and recover from
`identity theft and fraud;
`d. The continued risk to their PII, which remains in t

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket