`
`STATES DISTRICT COURT
`SOUTHERN DISTRICT OF NEW YORK
`----------------------------------------------------------------------X
`DOUBET CONSULTING, LLC and GL2 PARTNERS,
`INC., individually and on behalf of others similarly situated,
`
`
`
`
`
`
`
`
`
`Plaintiffs,
`
`
`
`
`Civil Action No.:
`
`CLASS ACTION
`COMPLAINT
`
`
`Jury Trial Demanded
`
`
`
`
`
`
`
`
`
`
`
`
`
`-against-
`
`
`
`
`
`
`RACKSPACE TECHNOLOGY, INC.,
`
`
`
`
`
`
`
`Defendant.
`----------------------------------------------------------------------X
`
`Plaintiffs DOUBET CONSULTING, LLC (“Doubet”) and GL2 PARTNERS, INC.
`
`(“GL2”) (collectively, “Plaintiffs”), individually and on behalf of all others similarly situated (the
`
`“Class” or “Class Members”), bring this Class Action Complaint against Defendant RACKSPACE
`
`TECHNOLOGY, INC. (“Rackspace” or “Defendant”), based upon their individual experiences
`
`and personal information, and investigation by their counsel.
`
`INTRODUCTION
`
`
`
`1.
`
`Plaintiffs, individually and on behalf of all others similarly situated, brings this class
`
`action suit against Defendant because of its failure to properly secure and safeguard Plaintiffs’ and
`
`Class Members’ personally identifiable information (“PII”) and/or other proprietary and/or highly
`
`confidential data (collectively, “Sensitive Data”) stored within Defendant’s information network,
`
`to properly maintain its Hosted Exchange environment so as to provide continuous email service,
`
`and/or notify Plaintiffs and Class Members of outages so as to not unreasonably interfere with their
`
`access to their Sensitive Data.
`
`
`
`2.
`
`Launched in 1998, Rackspace touts itself on its website (www.rackspace.com/about)
`
`as “multicloud solutions experts” and a leading provider of expertise and managed services across
`
`all the major public and private cloud technologies, assisting business customers in over 120
`
`
`
`1
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 2 of 44
`
`countries. Rackspace is the world’s largest managed cloud provider and provides access to such
`
`cloud offerings as Amazon Web Services, Microsoft Azure, and OpenStack.
`
`
`
`3.
`
`According to Defendant, at some point prior to 2:49 AM EST on or about December
`
`2, 2022, Defendant discovered “an issue [that affected its Hosted Exchange Environments].”
`
`
`
`4.
`
`According to Defendant, at approximately 2:49 AM EST, it was investigating the
`
`issues, but provided no further information to Plaintiffs and Class Members. As of that time,
`
`Defendant had allegedly already received “reports of connectivity issues” to its Exchange
`
`environments, admitting (albeit much later and insufficiently) that users “may experience an error
`
`upon accessing the Outlook Web App (Webmail) and syncing their email clients.”
`
`
`
`5.
`
`According to Defendant, over the next several hours, it continued its investigation
`
`regarding these connectivity and login issues, admitting (although much later) that users “may
`
`experience an error upon attempting to access OWA (Webmail) & sync mail to their email client”
`
`or “a prompt [to] re-enter their password.”
`
`
`
`6.
`
`Over the course of the following day, Defendant’s investigation continued, with
`
`Defendant acknowledging that these “connectivity and login issues greatly impact its clients.
`
`
`
`7.
`
`According to statements made later on its website, Defendant recognized, and then
`
`apologized, for the “major disruption” these issues caused its clients.
`
`
`
`8.
`
`According to statements made later that evening, Defendant again acknowledged
`
`that this “significant failure” in its environment was impacting its clients “greatly.” At that time, it
`
`directed its clients’ account administrators to “manually set up each individual user” on clients’
`
`accounts, actions that would require significant time and expense to those clients. During that
`
`recommended process, Defendant acknowledged that its clients would be “unable to connect to the
`
`Hosted Exchange service to sync new email or send mail using [the] Hosted Exchange.” Defendant
`
`
`
`2
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 3 of 44
`
`further encouraged “admins to configure and set up their users accounts on Microsoft 365 so they
`
`can begin sending and receiving mail immediately.”
`
`
`
`9.
`
`According to Defendant, as of December 3, 2022, at 1:57 AM EST, Defendant had
`
`determined, and later acknowledged, that the forgoing events were the result of a “security
`
`incident”.
`
`
`
`10. While Defendant claims to have discovered the disruption as early as December 2,
`
`2022, Defendant did not inform victims of the Security Incident other than via an incident
`
`report/summary subsequently posted on its website. Indeed, Plaintiffs and Class Members were
`
`wholly unaware of the Security Incident, if at all, until their email accounts became unusable and/or
`
`they contacted Defendant directly to inquire as to the disruption.
`
`
`
`11.
`
`Prior to the Security Incident, and in the normal course and scope of performing
`
`services for Plaintiffs and Class Members, Defendant acquired, collected and/or stored Plaintiffs’
`
`and Class Members’ Sensitive Data. Therefore, at all relevant times, Defendant knew, or should
`
`have known, that Plaintiffs and Class Members would use Defendant’s services to store and/or share
`
`Sensitive Data.
`
`
`
`12.
`
`By obtaining, collecting, using, and deriving a benefit from storing and/or facilitating
`
`access to Plaintiffs’ and Class Members’ Sensitive Data, Defendant assumed legal and equitable
`
`duties to those individuals/businesses. These duties arise from state and federal statutes and
`
`regulations, as well as common law principles.
`
`
`
`13.
`
`The confidential information that was compromised in the Security Incident can be
`
`used to gain unlawful access to online accounts of present and former clients, carry out identity
`
`theft, or commit other fraud and can be disseminated on the internet, available to those who broker
`
`and traffic in stolen PII and Sensitive Data .
`
`
`
`3
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 4 of 44
`
`
`
`14.
`
`The illegal access to PII and Sensitive Data of minors is particularly nefarious, as
`
`awareness of such access is typically delayed for a much longer period of time in the case of children
`
`as opposed to adults, giving perpetrators more time to use the PII and Sensitive Data for illegal
`
`purposes before detection.
`
`
`
`15. While the sophistication of the methods employed in effectuating the Security
`
`Incident is not publicly known, it is certain that the Security Incident could have been avoided
`
`through basic security measures, encrypting, authentications, and training.
`
`
`
`16.
`
`At all relevant times, Defendant promised and agreed in various documents to
`
`safeguard and protect Personal Identifiable Information (PII) and Sensitive Data in accordance with
`
`federal, state, and local laws, and industry standards, including the New York General Business
`
`Law, the New York SHIELD Act, and the Texas Deceptive Trade Practices – Consumer Protection
`
`Act. Defendant made these promises and agreements on their websites and other written notices.
`
`
`
`17.
`
`Contrary to these promises, and despite the fact that the threat of a data breach or
`
`other security incident has been a well-known risk to Defendant, especially due to the valuable and
`
`sensitive nature of the data Defendant collects, stores and maintains, Defendant failed to take
`
`reasonable steps to adequately protect the PII and Sensitive Data of current and former clients. The
`
`Security Incident was a direct result of Defendant’s failure to implement adequate and reasonable
`
`cyber-security procedures and protocols necessary to protect PII and Sensitive Data.
`
`
`
`18.
`
`As a result of Defendant’s failure to take reasonable steps to adequately protect the
`
`PII and Sensitive Data of current and former clients, Plaintiffs’ and Class Members’ PII and
`
`Sensitive Data is now on the internet for anyone and everyone to acquire, access, and use for
`
`unauthorized purposes for the foreseeable future.
`
`
`
`
`
`19.
`
`Defendant’s failure to implement and follow basic security procedures has resulted
`
`4
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 5 of 44
`
`in ongoing harm to Plaintiffs and Class Members, who will continue to experience a lack of data
`
`security for the indefinite future and remain at serious risk of identity theft and fraud that would
`
`result in significant monetary loss and loss of privacy, as well as disruption of their business
`
`operations, loss of hosted exchange services and permanent loss of countless e-mails and other
`
`stored data.
`
`
`
`20.
`
`Accordingly, Plaintiffs seek to recover damages and other relief resulting from the
`
`Security Incident, including but not limited to, compensatory damages, reimbursement of costs that
`
`Plaintiffs and others similarly situated will be forced to bear, and declaratory judgment and
`
`injunctive relief to mitigate future harms that are certain to occur in light of the scope of this
`
`incident.
`
`JURISDICTION AND VENUE
`
`
`
`21.
`
`This Court has subject matter jurisdiction pursuant to the Class Action Fairness Act
`
`of 2005, 28 U.S.C. § 1332(d), because the aggregate amount in controversy exceeds $5 million,
`
`exclusive of interest and costs; the number of Members of the proposed Class exceeds 100, and
`
`diversity exists because some of the Plaintiffs and Class Members and Defendant are citizens of
`
`different states. Subject matter jurisdiction is also based upon the Federal Trade Commission Act
`
`(FTCA). This Court also has supplemental jurisdiction over the state law claims pursuant to 28
`
`U.S.C. § 1367.
`
`
`
`22.
`
`This Court has personal jurisdiction over Defendant as it routinely conducts business
`
`in the State where this District is located, conducts substantial business in this State and in this
`
`District and/or the conduct complained of occurred in and/or emanated from this State and District
`
`because the confidential information compromised in the Security Incident was likely stored and/or
`
`maintained in accordance with practices emanating from this District.
`
`
`
`5
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 6 of 44
`
`
`
`23.
`
`Venue is proper pursuant to 28 U.S.C. § 1391 because a substantial part of the events
`
`or omissions giving rise to the conduct alleged in this Complaint occurred in, were directed to,
`
`and/or emanated from this District, and because Plaintiff Doubet is headquartered in and does
`
`business within this District.
`
`THE PARTIES
`
`24.
`
`Plaintiff Doubet Consulting, LLC is a domestic limited liability company existing
`
`by virtue of the laws of the State of New York, conducting business within the State of New York
`
`and elsewhere, headquartered at 310 East 75th Street, New York, County and State of New York,
`
`and is a client of Defendant.
`
`
`
`25.
`
`Plaintiff GL2 Partners, Inc. is a domestic for-profit corporation existing by virtue of
`
`the laws of the State of Texas, conducting business within the State of Texas and elsewhere,
`
`headquartered at 115 West 2nd Street, Suite 201, Fort Worth, County of Tarrant, State of Texas, and
`
`is a client of Defendant.
`
`
`
`26.
`
`Defendant touts itself to the public as the “multicloud solutions experts” and a
`
`leading provider of expertise and managed services across all the major public and private cloud
`
`technologies, assisting business customers in over 120 countries. It claims to have “created the
`
`managed hosting industry”. Rackspace is the world’s largest managed cloud provider and provides
`
`access to such cloud offerings as Amazon Web Services, Microsoft Azure and OpenStack.
`
`
`
`FACTUAL ALLEGATIONS
`
`
`
`27.
`
`At all pertinent times, Plaintiffs were and are clients of Defendant Rackspace,
`
`through its employees and/or agents and/or servants and/or representatives, whose PII and other
`
`Sensitive Data were collected and stored by Defendant.
`
`
`
`
`
`28.
`
`According to Defendant, at some point prior to 2:49 AM EST on or about December
`
`6
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 7 of 44
`
`2, 2022, Defendant discovered “an issue [that affected its Hosted Exchange Environments].”
`
`
`
`29.
`
`According to Defendant, at approximately 2:49 AM EST, it was investigating the
`
`issues, but provided no further information to Plaintiff and Class Members. As of that time,
`
`Defendant had allegedly already received “reports of connectivity issues” to its Exchange
`
`environments, admitting (albeit much later and insufficiently) that users “may experience an error
`
`upon accessing the Outlook Web App (Webmail) and syncing their email clients.”
`
`
`
`30.
`
`According to Defendant, over the next several hours, it continued its investigation
`
`regarding these connectivity and login issues, admitting (although much later) that users “may
`
`experience an error upon attempting to access OWA (Webmail) & sync mail to their email client”
`
`or “a prompt [to] re-enter their password.”
`
`
`
`31.
`
`Over the course of the following day, Defendant’s investigation continued, with
`
`Defendant acknowledging that these “connectivity and login issues greatly impact its clients”.
`
`
`
`32.
`
`According to statements made later on its website, Defendant recognized, and then
`
`apologized, for the “major disruption” these issues caused its clients.
`
`
`
`33.
`
`According to statements made later that evening, Defendant again acknowledged
`
`that this “significant failure” in its environment was impacting its clients “greatly.” At that time, it
`
`directed its clients’ account administrators to “manually set up each individual user” on clients’
`
`accounts, actions that would require significant time and expense to those clients. During that
`
`recommended process, Defendant acknowledged that its clients would be “unable to connect to the
`
`Hosted Exchange service to sync new email or send mail using [the] Hosted Exchange.” Defendant
`
`further encouraged “admins to configure and set up their users accounts on Microsoft 365 so they
`
`can begin sending and receiving mail immediately.”
`
`
`
`
`
`34.
`
`According to Defendant, as of December 3, 2022, at 1:57 AM EST, Defendant had
`
`7
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 8 of 44
`
`determined, and later acknowledged, that the forgoing events were the result of a “security
`
`incident”.
`
`
`
`35.
`
`Defendant’s postings on its website regarding the Security Incident are as follow:
`
`02:31 PM EST
`12/03/22
`Our security and operations teams continue to work both internally
`and closely with outside experts to determine the full scope and
`impact of the issue involving our Hosted Exchange environment.
`
`Since our last update, we have assisted numerous customers to open
`replacement Microsoft 365 accounts so they can resume sending and
`receiving emails. This remains our topmost priority. Our support
`teams across the company continue working to assist customers in all
`hands-on deck effort during this time. We are working diligently to
`source additional resources to help our customers over the weekend.
`If you need assistance, please contact our support team via our usual
`support channels.
`
`Please continue to monitor our status page for the latest updates and
`FAQs:
`https://status.apps.rackspace.com/index/viewincidents?group=2.
`
`Again, thank you for your patience.
`
`01:57 AM EST
`12/03/22
`What happened?
`
`On Friday, Dec 2, 2022, we became aware of an issue impacting our
`Hosted Exchange environment. We proactively powered down and
`disconnected the Hosted Exchange environment while we triaged to
`understand the extent and the severity of the impact. After further
`analysis, we have determined that this is a security incident.
`
`The known impact is isolated to a portion of our Hosted Exchange
`platform. We are taking necessary actions to evaluate and protect our
`environments.
`
`Has my account been affected?
`
`We are working through the environment with our security teams and
`partners to determine the full scope and impact. We will keep
`customers updated as more information becomes available.
`
`
`
`8
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 9 of 44
`
`
`Has there been an impact to the Rackspace Email platform?
`
`We have not experienced an impact to our Rackspace Email product
`line and platform.
`
`At this time, Hosted Exchange accounts are impacted, and not
`Rackspace Email.
`
`When will I be able to access my Hosted Exchange account?
`
`We currently do not have an ETA for resolution. We are actively
`working with our support teams and anticipate our work may take
`several days. We will be providing information on this page as it
`becomes available, with updates at least every 12 hours.
`
`As a result, we are encouraging admins to configure and set up their
`users accounts on Microsoft 365 so they can begin sending and
`receiving mail immediately. If you need assistance, please contact our
`support team. We are available to help you set it up.
`
`Is there an alternative solution?
`
`At no cost to you, we will be providing access to Microsoft Exchange
`Plan 1 licenses on Microsoft 365 until further notice.
`
`To activate, please use the below link for instructions on how to set
`up your account and users.
`
`https://docs.rackspace.com/support/how-to/how-to-set-up-O365-via-your-cloud-
`officecontrol-panel
`
`Please note that your account administrator will need to manually set
`up each individual user on your account. Once your users have been
`set up and all appropriate DNS records are configured, their email
`access will be reactivated, and they will start receiving emails and can
`send emails. Please note, that DNS changes take approximately 30
`minutes to provision and in rare cases can take up to 24 hours.
`
`IMPORTANT: If you utilize a hybrid Hosted environment
`(Rackspace Email and Exchange on a single domain) then you will
`be required to move all mailboxes (Rackspace Email and Exchange)
`to M365 for mail flow to work properly. To preserve your data, it is
`critical that you do not delete your original mailboxes when making
`this change.
`
`
`9
`
`
`
`
`
`
`
`
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 10 of 44
`
`I don’t know how to setup Microsoft 365. How can I get help?
`
`Please leverage our support channels by either joining us in chat or
`by calling +1 (855) 348-9064. (INTL: +44 (0) 203 917 4743).
`
`Can I access my Hosted Exchange inbox from before the service was
`brought offline?
`
`If you access your Hosted Exchange inbox via a local client
`application on your laptop or phone (like Outlook or Mail), your local
`device is likely configured to store your messages. However, while
`the Hosted Exchange environment is down, you will be unable to
`connect to the Hosted Exchange service to sync new mail or send
`mail using Hosted Exchange.
`If you regularly access your inbox via Outlook Web Access (OWA),
`you will not have access to Hosted Exchange via OWA while the
`platform is offline.
`
`As a result, we are encouraging admins to configure and set up their
`user’s accounts on Microsoft 365 so they can begin sending and
`receiving mail immediately. If you need assistance, please contact our
`support team. We are available to help you set it up.
`
`Will I receive mail in Hosted Exchange sent to me during the time
`the service has been shut down?
`
`Possibly. We intend to update further as we get more information.
`
`As a result, we are encouraging admins to configure and set up their
`ser’s accounts on Microsoft 365 so they can begin sending and
`receiving mail immediately. If you need assistance, please contact our
`support team. We are available to help you set it up.
`
`08:19 PM EST
`12/02/22
`To our valued customers,
`
`First and foremost, we appreciate your patience as we are working
`through the issue with your Hosted Exchange account, which we
`know impacted you greatly today. We experienced a significant
`failure in our Hosted Exchange environment. We proactively shut
`down the environment to avoid any further issues while we continue
`work to restore service. As we continue to work through the root
`cause of the issue, we have an alternate solution that will re-activate
`your ability to send and receive emails.
`
`
`
`
`10
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 11 of 44
`
`At no cost to you, we will be providing you access to Microsoft
`Exchange Plan 1 licenses on Microsoft 365 until further notice.
`
`To activate, please use the below link for instructions on how to set
`up your account and users.
`
`https://docs.rackspace.com/support/how-to/how-to-set-up-O365-
`via-your-cloud-officecontrol-panel
`
`Please note that your account administrator will need to manually set
`up each individual user on your account. Once your users have been
`set up and all appropriate DNS records are configured, their email
`access will be reactivated, and they will start receiving emails and can
`send emails. Please note, that DNS changes take approximately 30
`minutes to provision and in rare cases can take up to 24 hours.
`
`IMPORTANT: If you utilize a hybrid Hosted environment
`(Rackspace Email and Exchange on a single domain) then you will
`be required to move all of your mailboxes (Rackspace Email and
`Exchange) to M365 in order for mail flow to work properly. To
`preserve your data, it is critical that you do not delete your original
`mailboxes when making this change.
`
`Again, we apologize that this has been a major disruption to you, but
`we hope this will allow you to resume regular business as soon as
`possible.
`
`Our support team is available to assist you via our usual support
`channels. Please reach out and continue to monitor our status page
`for further updates. Link to
`incident:
`https://status.apps.rackspace.com/index/viewincidents?group=2
`
`Thanks again for your patience in this matter, we appreciate your
`business as a valued customer.
`
`04:51 PM EST
`12/02/22
`To all of our valued customers, we understand the connectivity and
`login issues in our Cloud Office environments are greatly impacting
`you. We are working diligently to resolve the issue and it is currently
`our highest priority. Please continue to monitor our status page for
`the latest updates. Again, thank you for your patience, as we work to
`provide you a resolution soon.
`
`04:01 PM EST
`
`
`
`11
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 12 of 44
`
`12/02/22
`We are aware of an issue impacting our Hosted Exchange
`environments. Our Engineering teams continue to work diligently to
`come to a resolution. At this time we are still in the investigation
`phase of this incident and will update our status page as more
`information becomes available.
`
`01:54 PM EST
`12/02/22
`We are aware of an issue impacting our Hosted Exchange
`environments. Our Engineering teams continue to work diligently to
`come to a resolution. At this time we are still in the investigation
`phase of this incident and will update our status page as more
`information becomes available.
`
`09:38 AM EST
`12/02/22
`All hands are on the deck & right resources have been engaged and
`are actively working on the issue. All new updates will be posted here
`as they become available.
`
`06:36 AM EST
`12/02/22
`We continue to investigate the connectivity and login issues to our
`Exchange environments. Users may experience an error upon
`attempting to access OWA (Webmail) & sync mail to their email
`client, or a prompt to re-enter their password.
`
`We will provide further information as this becomes available.
`
`04:39 AM EST
`12/02/22
`We continue to investigate the connectivity issues to our Exchange
`environments. We will provide further updates as they become
`available.
`
`04:32 AM EST
`12/02/22
`We continue to investigate the connectivity issues to our Exchange
`environments. We will provide further updates as they become
`available.
`
`03:02 AM EST
`12/02/22
`We are investigating reports of connectivity issues to our Exchange
`environments. Users may experience an error upon accessing the
`
`
`
`12
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 13 of 44
`
`Outlook Web App (Webmail) and syncing their email client(s).
`
`We will provide further updates as they become available.
`
`02:49 AM EST
`12/02/22
`We are investigating an issue that is affecting our Hosted Exchange
`environments. More details will be posted as they become available.
`
`It was later disclosed that the Security Incident was due to a ransomware attack.
`
`36.
`
`37. While Defendant claims to have discovered the disruption as early as December 2,
`
`
`
`
`
`2022, Defendant did not inform victims of the Security Incident other than via an incident
`
`report/summary subsequently posted on its website. Indeed, Plaintiffs and Class Members were
`
`wholly unaware of the Security Incident, if at all, until their email accounts became unusable and/or
`
`they contacted Defendant directly to inquire as to the disruption.
`
`
`
`38.
`
`Prior to the Security Incident, and in the normal course and scope of performing
`
`services for Plaintiffs and Class Members, Defendant acquired, collected and/or stored Plaintiffs’
`
`and Class Members’ PII and Sensitive Data. Therefore, at all relevant times, Defendant knew, or
`
`should have known, that Plaintiffs and Class Members would use Defendant’s services to store
`
`and/or share PII and Sensitive Data.
`
`
`
`39.
`
`As part of Defendant’s contracts with the current and former clients, Defendant
`
`promised to protect the PII, Sensitive Data and other data of current and former clients, in
`
`accordance with the applicable Federal, State and local statutes and regulations, emphasizing their
`
`purported commitment to protection of PII, Sensitive Data and other data on its website and
`
`elsewhere.
`
`40.
`
`Defendant’s website1 claims:
`
`At Rackspace Technology Global, Inc., and its group companies
`including, but not limited to, Onica Group LLC, Rackspace US, Inc.,
`
`1 https://www.rackspace.com/information/legal/privacystatement
`
`
`
`13
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 14 of 44
`
`Tricore Solutions, LLC, Rackspace Government Solutions, Inc. and
`RelationEdge, LLC, (“Rackspace Technology”, “we”, “us”, and
`“our”), privacy commitments are fundamental to the way we run our
`business. Unless otherwise noted or governed by law, these
`commitments apply to everyone who has a relationship with us -
`including customers, partners, and website visitors. Rackspace
`Technology is committed to providing you with the best overall
`experience in all of our products and services. We strive to strike the
`right balance between using your data to ensure the quality of those
`experiences and protecting your privacy. We have assessed all
`aspects of our business and optimized the amount of data we collect
`to find just the right balance between data sharing and service.
`
`We endeavor to protect the security of your Personal Information.
`Rackspace Technology has implemented appropriate administrative,
`technical, and physical safeguards designed to prevent unauthorized
`access, use or disclosure. For example, we store the Personal
`Information you provide on computer servers with limited access that
`are located in controlled facilities. We will retain Personal
`Information collected from you where we have a justifiable business
`need to do so and for as long as is needed to fulfill the purposes
`outlined in this Privacy Notice, unless a longer retention period is
`required or permitted by law (such as legal, tax or accounting
`reasons).
`
`Defendant has failed to maintain the confidentiality of PII, Sensitive Data and other
`
`
`
`41.
`
`data, failed to prevent cybercriminals from accessing and using PII, sensitive Data and other data,
`
`failed to avoid accidental loss, disclosure, or unauthorized access to PII, Sensitive Data and other
`
`data, failed to prevent the unauthorized disclosure of PII, Sensitive Data and other data, failed to
`
`provide security measures consistent with industry standards for the protection of PII, Sensitive
`
`Data and other data, failed to prevent interruption of service of current and former clients whose
`
`data Defendant has collected and stored, and failed to protect against the permanent loss of client
`
`data.
`
`
`
`42.
`
`This Security Incident was foreseeable, in light of the much-publicized wave of data
`
`breaches in recent years. Since at least 2015, the Federal Bureau of Investigation (“FBI”) has
`
`specifically advised private industry about the threat of “Business E-Mail Compromise” (“BEC”).
`
`
`
`14
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 15 of 44
`
`The FBI calls BEC “a growing financial fraud that is more sophisticated than any similar scam the
`
`FBI has seen before and one—in its various forms—that has resulted in actual and attempted losses
`
`of more than a billion dollars to businesses worldwide.” The FBI notes that “scammers’ methods
`
`are extremely sophisticated,” and warns companies that “the criminals often employ malware to
`
`infiltrate company networks.”2
`
`
`
`43.
`
`Accordingly, Defendant knew, or should have known, given the vast amount of PII,
`
`Sensitive Data and other data it collects, manages, and maintains, that it was a target of security
`
`threats, and therefore understood the risks posed by unsecure data security practices and systems.
`
`Defendant’s failure to heed warnings and to otherwise maintain adequate security practices resulted
`
`in this Security Incident.
`
`
`
`44.
`
`Defendant, at all relevant times, had a duty to Plaintiffs and Class Members to
`
`properly secure their PII, Sensitive Data and other data, encrypt and maintain such information
`
`using industry standard methods, train its employees, utilize available technology to defend its
`
`systems from invasion, act reasonably to prevent foreseeable harm to Plaintiffs and Class Members,
`
`prevent interruption of service, protect against permanent loss of client data and promptly notify the
`
`Plaintiffs and Class Members when Defendant became aware of the potential that Plaintiffs’ and
`
`Class Members’ PII, Sensitive Data and other data may have been compromised.
`
`
`
`45.
`
`Defendant’s duty to use reasonable security measures arose as a result of the special
`
`relationship that existed between Defendant, on the one hand, and Plaintiffs and the Class Members
`
`on the other hand. The special relationship arose because Plaintiffs and Class Members entrusted
`
`Defendant with their PII, Sensitive Data and other data by virtue of being current and former clients
`
`
`2 BUSINESS E-MAIL COMPROMISE: AN EMERGING GLOBAL THREAT,
`https://www.fbi.gov/news/stories/business-e-mail-compromise (last visited Apr. 20, 2020).
`
`
`
`
`15
`
`
`
`Case 1:23-cv-00526-JLR Document 1 Filed 01/21/23 Page 16 of 44
`
`of Rackspace’s personnel, and by virtue of Federal, State and local statutes and regulations.
`
`Defendant had the resources necessary to prevent the Security Incident but neglected to adequately
`
`invest in security measures, despite its obligation to protect such information. Accordingly,
`
`Defendant breached its common law, statutory, and other duties owed to Plaintiffs and Class
`
`Members.
`
`
`
`46.
`
`Defendant’s duty to use reasonable security measures also arose under Section 5 of
`
`the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair . . . practices in or
`
`affecting commerce,” including, as interpreted and enforced by the FTC, the unfair practice of
`
`failing to use reasonable measures to protect confidential data by entities such as Defendant.
`
`
`
`47.
`
`Defendants’ duty to use reasonable security measures also arose under the New York
`
`SHIELD Act and the Texas Deceptive Trade Practices – Consumer Protection Act.
`
`
`
`48.
`
`The Federal Trade Commission has established data security principles and practices
`
`for businesses as set forth in its publication, Protecting Personal Information: A Guide for Business.3
`
`Among other things, the FTC states that companies should encrypt information stored on computer
`
`networks and dispose of consumer information that is no longer needed. The FTC also says to
`
`implement policies for installing vendor-approved patches to correct problems, and to identify
`
`operating systems. The FTC also recommends that companies understand their network’s
`
`vulnerabilities and develop and implement policies to rectify security deficiencies. Further, the FTC
`
`recommends that companies utilize an intrusion detection system to expose a data breach as soon
`
`as it occurs; m