`
`MICHAEL HEIDBREDER
`
`
`Plaintiff,
`
`vs
`EPIC GAMES, INC.,
`Defendant.
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF NORTH CAROLINA
`WESTERN DIVISION
`
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`
`Case No.:
`
`CLASS ACTION COMPLAINT
`JURY TRIAL DEMANDED
`
`
`
`
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 1 of 27
`
`
`
`
`
`TABLE OF CONTENTS
`SUMMARY OF CASE..................................................................................................... 1
`
`JURISDICTION AND VENUE ....................................................................................... 3
`
`PARTIES .......................................................................................................................... 3
`
`A.
`
`B.
`
`Plaintiff ..................................................................................................... 3
`
`Defendant .................................................................................................. 4
`
`FACTUAL BACKGROUND ........................................................................................... 4
`
`A.
`
`B.
`
`C.
`
`Epic Games Collects and Stores PII for its Own Financial Gain ............. 4
`
`PII Is Very Valuable on the Black Market................................................ 7
`
`Epic Games’ Inadequate Data Security Allowed the Breach of Fortnite
`User Accounts ......................................................................................... 10
`
`CLAIMS ALLEGED ON BEHALF OF ALL CLASSES .............................................. 15
`
`First Claim for Relief .......................................................................................... 15
`
`Second Claim for Relief ...................................................................................... 17
`
`Third Claim for Relief ........................................................................................ 18
`
`Fourth Claim for Relief ....................................................................................... 20
`
`
`
`ADDITIONAL CLAIM ALLEGED ON BEHALF OF THE MISSOURI SUB-CLASS
`ONLY ............................................................................................................................. 21
`
`Fifth Claim for Relief.......................................................................................... 21
`
`i
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 2 of 27
`
`
`
`PRAYER FOR RELIEF ................................................................................................. 23
`
`JURY TRIAL DEMANDED .......................................................................................... 24
`
`
`
`ii
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 3 of 27
`
`
`
`
`
`For his Class Action Complaint, Plaintiff Michael Heidbreder (“Plaintiff”), on behalf of
`himself and all others similarly situated, alleges the following against Defendant Epic Games, Inc.
`(“Defendant” or “Epic Games”), based on personal knowledge as to Plaintiff and Plaintiff’s own
`acts, and on information and belief as to all other matters based upon, inter alia, the investigation
`conducted by and through Plaintiff’s undersigned counsel:
`SUMMARY OF CASE
`1.
`This case involves a data breach Epic Games announced on January 16, 2019, wherein
`the personal information of 200 million Fortnite users was exposed due to a flaw in Fortnite’s code
`that allowed hackers and other nefarious users to take over player accounts and exploit their personal
`information for unsavory and illegal purposes (“Data Breach”).
`2.
`Epic Games developed and operates Fortnite, a popular battle-royale style video
`game played by approximately 80 million people per month and with approximately 200 million
`registered users across computer, console, and mobile platforms.
`3.
`As part of the sign-up process and as a consequence of playing Fortnite, users
`create, maintain, and update accounts containing personal information, including their names,
`email addresses, and credit or debit card information, referred to herein as “PII” (personally
`identifiable information).
`4.
`On January 16, 2019, Epic Games publicly acknowledged that Fortnite users’ PII
`was subject to a security breach, but did not disclose a timeframe for the Data Breach or how many
`accounts were impacted. Epic Games has not yet directly informed or notified individual Fortnite
`users that their PII may be compromised as a result of the breach. Epic Games’ acknowledgement
`only came after Check Point Software Technologies Ltd. (“Check Point”), a cybersecurity firm,
`discovered vulnerabilities in Fortnite’s web infrastructure and disclosed their findings to Epic
`Games in November of 2018.
`5.
`Fortnite’s vulnerabilities stemmed from its single sign-on (“SSO”) setup, a
`mechanism that allows users to log into multiple services with the same third-party account such
`
`1
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 4 of 27
`
`
`
`as Epic Games, Xbox, or Google. Once logged into a third-party account, users could log in and
`access their Fortnite account by requesting the third-party account send an access token1 to
`Fortnite.
`6.
`Hackers exploited the SSO by distributing phishing links over social media
`messages or forum posts claiming, inter alia, to be about a Fortnite promotion. When users
`opened the link, they were asked to log in to their Fortnite account via the SSO. But instead of
`having the third-party account send the security token to the legitimate login, hackers redirected
`those users to an old, unsecured URL maintained by Epic Games. Check Point’s research revealed
`that hackers could embed that URL with malicious JavaScript allowing them to steal Fortnite
`access tokens which they could then use to take over users’ accounts.
`7.
`As a result of Defendant’s failure to maintain adequate security measures and notify
`users of the security breach in a timely manner, Plaintiff and certain Fortnite users’ PII was
`compromised. They have suffered an ascertainable loss in that the credit or debit card information
`linked to their Fortnite accounts was stolen as a result of Defendant’s failures. Hackers used this
`information to purchase in-game Fortnite currency without the permission of the account holders,
`including Plaintiff. Hackers also used this information to steal player accounts. Some of these stolen
`accounts, once loaded up with in-game currency purchased fraudulently, were sold on third-party
`websites. The sale of Fortnite accounts on the dark web has increased recently,2 with accounts selling
`for an average of approximately $11.29.3 Furthermore, Plaintiff and the other impacted Fortnite users
`must undertake additional security measures, some at their own expense, to minimize the risk of
`
`
`1
`Access tokens are the equivalent of digital keys that allow users logged into third-party accounts
`to use those accounts as a verification to log in to their Fortnite accounts.
`
`Antony Cuthbertson, Fortnite, Netflix and Uber Accounts Being Sold For Just £8 on the Dark
`
`Web (Feb. 19, 2019), available at https://www.independent.co.uk/life-style/gadgets-and-
`tech/news/fortnite-account-sale-dark-web-price-index-netflix-uber-cyber-crime-a8786686.html (last
`visited August 8, 2019).
`
` 2
`
`3
`Simon Migliano, Dark Web Market Price Index (February 2019 - UK Edition), available at
`https://www.top10vpn.com/privacy-central/privacy/dark-web-market-price-index-2019-uk-
`edition/#indextop (last visited August 8, 2019).
`
`2
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 5 of 27
`
`
`
`future data breaches including, without limitation, canceling credit or debit cards associated with
`their Fortnite and/or Epic Games accounts and changing their passwords to those accounts. But there
`is no guarantee that such security measures will in fact adequately protect their PII. As such, Plaintiff
`and the other Class members have an ongoing interest in ensuring that their PII is protected from
`past and future cybersecurity threats.
`8.
`This Class Action Complaint is filed on behalf of all persons in the United States
`described more fully in the following sections, whose PII was compromised in the Data Breach.
`JURISDICTION AND VENUE
`9.
`This Court has jurisdiction over this action pursuant to the Class Action
`Fairness Act (“CAFA”), 28 U.S.C. § 1332(d), because the aggregate amount in controversy
`exceeds $5,000,000, exclusive of interests and costs, there are more than 100 class members, and
`at least one class member is a citizen of a state different from Defendant and is a citizen of a
`foreign state. The Court also has supplemental jurisdiction over the state law claims pursuant to
`28 U.S.C. § 1367.
`10.
`Venue is proper under 28 U.S.C. § 1391(c) because Defendant is a corporation
`that does business in and is subject to personal jurisdiction in this District. Venue is also proper
`because a substantial part of the events or omissions giving rise to the claims in this action occurred
`in or emanated from this District, including the decisions made by Epic Games’ governance and
`management personnel that led to the Data Breach. Further, Epic Games’ terms of service governing
`users in the United States provides for venue in North Carolina for all claims arising out of
`Plaintiff’s relationship with Epic Games.
`
`PARTIES
`
`A.
`Plaintiff
`11.
`Plaintiff Michael Heidbreder is an adult individual residing in the State of Missouri.
`12.
`At all relevant times, Plaintiff had an Epic Games account, was a Fortnite user, and
`had a debit card linked to his Epic Games account.
`
`3
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 6 of 27
`
`
`
`B.
`Defendant
`13.
`Defendant Epic Games, Inc. is a Maryland corporation with its principal executive
`offices located at 620 Crossroads Boulevard, Cary, North Carolina 27518.
`14.
`At all relevant times, Defendant was and is engaged in the business of developing
`and operating video games, websites, and mobile applications in Wake County and throughout the
`United States of America.
`
`FACTUAL BACKGROUND
`A.
`Epic Games Collects and Stores PII for its Own Financial Gain
`15.
`The majority of Epic Games’ revenue comes from sales associated with its Fortnite
`video game. In 2018, Fortnite accounted for $2.4 billion of Epic Games’ revenue, “ʻthe most annual
`revenue of any [video] game in history.ʼ”4
`16. While Fortnite’s “Battle Royale” mode can be downloaded and played for free, users
`have the option of purchasing a “Battle Pass” each “Season” that allows access to exclusive in-game
`content for Battle Royale mode. Users can also purchase “PVE [player versus environment]
`Campaign Packs” ranging in price from approximately $40.00 to $150.00.
`17.
`To purchase in-game content, Fortnite users must add a credit or debit card to their
`account. This card information is then stored under the supervision and care of Epic Games.
`18.
`Regardless of whether a user purchases in-game content, they are still required to
`provide PII, including their full name and a valid email address.
`19.
`Despite the fact that the majority of Epic Games’ revenue comes from charges to
`credit and debit cards under its protection, on information and belief, Defendant failed, and
`continues to fail, to provide adequate protection for Fortnite users’ personal and confidential
`information and has egregiously failed to provide sufficient and timely notice or warning of
`potential and actual cybersecurity breaches to Fortnite users.
`
`4
`Matthew Handrahan, Fortnite tops SuperData’s 2018 chart with $2.4 billion digital revenue (Jan.
`16, 2019), available at https://www.gamesindustry.biz/articles/2019-01-16-fortnite-tops-2018-superdata-
`chart-with-usd2-4b-digital-revenue (last visited August 8, 2019).
`
`
`4
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 7 of 27
`
`
`
`20.
`Upon information and belief, information as to whose accounts were exposed and
`whose PII was accessed without authorization as a result of the Data Breach is within Epic Games’
`exclusive control. Epic Games knows where accounts were logged-in from, where access tokens
`originated from and were sent, what type of device was used to log in to accounts, and what
`activity, fraudulent or otherwise, occurred on accounts.
`21.
`At all relevant times, Epic Games has assured Fortnite users that their privacy and
`security are of utmost importance to it, and Fortnite users have relied on those assurances in
`providing Epic Games with their PII. In fact, under a section of Epic Games’ privacy policy entitled
`“How We Protect Personal Information,” Epic Games provides that:
`We maintain appropriate administrative, technical, and physical safeguards
`to protect your personal information from accidental, unlawful, or unauthorized
`destruction, loss, alteration, access, disclosure, or use and other unlawful forms of
`processing. In some cases, your information is accessible when you log into a feature
`we offer, and in those cases you need to keep your user credentials and password
`confidential and secure so that your information is protected.5
`
`22.
`Epic Games failed to provide the security it promised to Fortnite users prior to the
`Data Breach, including that it “maintain[ed] appropriate administrative, technical, and physical
`safeguards to protect your personal information from accidental, unlawful, or unauthorized
`destruction, loss, alteration, access, disclosure, or use and other unlawful forms of processing.”
`23.
`Despite these assurances, Epic Games was forced to publicly reveal on January 16,
`2019 that Fortnite users’ personal information was subject to a data breach. According to media
`outlet reports, Check Point informed Defendant of the vulnerabilities in Fortnite’s web
`infrastructure as early as November of 2018,6 but Defendant still has not yet directly informed or
`
`5
`Epic Games Global Privacy Policy (last updated Dec. 19, 2018), available at
`https://www.epicgames.com/site/en-US/privacypolicy (last visited August 8, 2019).
`
` 6
`
` Jonathan Vanian, Researchers Discover Big Cybersecurity Flaw in Fortnite (Jan. 16, 2019),
`available at
`http://fortune.com/2019/01/16/fortnite-security-flaw-checkpoint/ (last visited August 8,
`2019); Lily Hay Newman, A Fortnite Vulnerability Exposed Accounts to Takeover (Jan. 16, 2019),
`available at https://www.wired.com/story/fortnite-vulnerability-account-takeover/ (last visited August 8,
`2019).
`
`
`
`5
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 8 of 27
`
`
`
`notified Fortnite users that their PII may have been and may continue to be compromised as a
`result of the Data Breach. Nor has Defendant disclosed when the vulnerability in Fortnite’s code
`was introduced, how long hackers have had access to Fortnite users’ PII, or how many user
`accounts were affected by the Data Breach.
`24.
`The insufficient security policies and procedures implemented by Defendant is a
`material fact that a reasonable consumer would consider when deciding whether to create an
`Epic Games or Fortnite account and to provide Defendant with personal and confidential
`information. Had Plaintiff and the other Class members known that Defendant failed to employ
`necessary and adequate protection of their personal information, they would not have created an
`Epic Games or Fortnite account, or they would have limited the PII they shared with Epic Games.
`Plaintiff and the other Class members should have been able to rely upon Epic Games’ Privacy
`Policy ensuring that “We maintain appropriate administrative, technical, and physical safeguards to
`protect your personal information from accidental, unlawful, or unauthorized destruction, loss,
`alteration, access, disclosure, or use and other unlawful forms of processing.”7
`25.
`This case involves the continuing and absolute disregard with which Defendant
`has chosen to treat the PII of account holders who played Fortnite. While this information was
`supposed to be protected, Epic Games – without authorization – exposed that information to third
`parties through lax and non-existent data safety and security policies and protocols.
`26.
`In addition, Epic Games made the following representations to Fortnite users:
`
` “We are required to seek your consent before we use your personal information for any
`purpose incompatible with the purposes identified in this policy.”8
`
` “We provide you with choices about whether to provide us with personal information
`and whether it is shared.”9
`
`7
`Epic Games Global Privacy Policy (last updated Dec. 19, 2018), available at
`https://www.epicgames.com/site/en-US/privacypolicy (last visited August 8, 2019).
`
`
`
`
`
`Id.
`
`Id.
`
`6
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 9 of 27
`
` 8
`
` 9
`
`
`
`
`
`27.
`At all relevant times, Epic Games has maintained a Privacy Policy on its website
`which advised Fortnite users, in part:
`
`As a general matter, we use your information to provide the services,
`experiences, merchandise, or information you request. We also may use your
`information for the following purposes.
`1. For our legitimate interests, consistent with your rights and preferences,
`we use personal data:
` To communicate with you, respond to your requests, or provide
`you with updates and information;
` To better understand our users, their interests, and their
`preferences;
` To personalize your experience, save your preferences,
`authenticate our users, and provide similar user-experience
`features;
` To develop, deliver, and improve our products, services, and other
`offerings, some of which may be offered in partnership with other
`parties;
` To manage and customize advertisements or promotional offers;
` For security purposes;
` For internal purposes such as auditing and data analysis.
`2. To provide services that are subject to terms you have accepted, such as
`enforcing our licenses, agreements, and terms of service, which may
`include reasonable monitoring to detect and prevent misuse or fraud and
`to keep our games fair for all users.
`3. To the extent you give consent, such as when we would like to process
`your personal information for a purpose that would otherwise be
`incompatible with this policy.
`4. To comply with legal obligations.
`
` (Emphases added).10
`B.
`PII Is Very Valuable on the Black Market
`28.
`The types of information compromised in the Data Breach are highly valuable to
`cybercriminals. The names, email addresses, passwords, security question answers, and credit and
`
`
`10
`Id.
`
`
`7
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 10 of 27
`
`
`
`debit card PII can all be used to gain access to a variety of existing accounts and websites and
`defraud Fortnite users of money and property.
`29.
`Identity thieves can also use the PII to harm Plaintiff and the other Class members
`through embarrassment, blackmail, or harassment in person or online, or to commit other types of
`fraud including obtaining ID cards or driver’s licenses, fraudulently obtaining tax returns and
`refunds, and obtaining government benefits. A Presidential Report on identity theft from 2008 states
`that:
`
`In addition to the losses that result when identity thieves fraudulently open
`accounts or misuse existing accounts, . . . individual victims often suffer indirect
`financial costs, including the costs incurred in both civil litigation initiated by
`creditors and in overcoming the many obstacles they face in obtaining or retaining
`credit. Victims of non-financial identity theft, for example, health-related or
`criminal record fraud, face other types of harm and frustration.
`
`In addition to out-of-pocket expenses that can reach thousands of dollars for
`the victims of new account identity theft, and the emotional toll identity theft can
`take, some victims have to spend what can be a considerable amount of time to
`repair the damage caused by the identity thieves. Victims of new account identity
`theft, for example, must correct fraudulent information in their credit reports and
`monitor their reports for future inaccuracies, close existing bank accounts and open
`new ones, and dispute charges with individual creditors.11
`30.
`To put it into context, the 2013 Norton Report – based on one of the largest
`consumer cybercrime studies ever conducted – estimated that the global price tag of cybercrime
`was around $113 billion at that time, with the average cost per victim being $298 dollars. That
`number no doubt increased after the PII of Plaintiff and the other Class members was leaked in the
`Data Breach.
`31.
`The problems associated with identity theft are exacerbated by the fact that
`many cybercriminals will wait years before attempting to use the PII they have obtained. Indeed,
`in order to protect themselves, Plaintiff and the other Class members will need to remain vigilant
`
`
`11
`The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, Federal
`Trade Commission, (April 2007), available at
`http://www.ftc.gov/sites/default/files/documents/reports/combating-identity-theft-strategic-
`plan/strategicplan.pdf (last visited August 8, 2019).
`
`8
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 11 of 27
`
`
`
`against unauthorized data use for years and decades to come.
`32.
`Once stolen, PII can be used in a number of different ways. One of the most
`common is that it is offered for sale on the “dark web,” a heavily encrypted part of the Internet that
`makes it difficult for authorities to detect the location or owners of a website. The dark web is not
`indexed by normal search engines such as Google and is only accessible using a Tor browser (or
`similar tool) which aims to conceal users’ identities and online activity. The dark web is notorious
`for hosting marketplaces selling illegal items such as weapons, drugs, and PII.12 Websites appear
`and disappear quickly, making it a very dynamic environment.
`33.
`Once someone buys PII, it is then used to gain access to different areas of the victim’s
`digital life, including bank accounts, social media, and credit card details. During that process, other
`sensitive data may be harvested from the victim’s accounts, as well as from those belonging to
`family, friends, and colleagues.
`34.
`In addition to PII, a hacked Fortnite account can be very valuable to cybercriminals
`because they are able to access credit or debit card information associated with the account. Once
`that card information is accessed, cybercriminals can and did purchase in-game Fortnite currency
`and other content, sold the Fortnite account and in-game purchases on the dark web and other places,
`like eBay, and/or used that information to make fraudulent purchases from third-parties. Sales of
`Fortnite accounts on the dark web have increased recently13 with accounts selling for an average of
`approximately $11.29.14 In other words, cybercriminals specifically targeted Fortnite user PII to
`
`
`12
`Brian Hamrick, The dark web: A trip into the underbelly of the internet (Feb. 9, 2017), available
`at https://www.wlwt.com/article/the-dark-web-a-trip-into-the-underbelly-of-the-internet/8698419 (last
`visited August 8, 2019).
`
`13
`Anthony Cuthbertson, Fortnite, Netflix and Uber Accounts Being Sold for Just £8 on the Dark
`Web (Feb. 19. 2019), available at https://www.independent.co.uk/life-style/gadgets-and-
`tech/news/fortnite-account-sale-dark-web-price-index-netflix-uber-cyber-crime-a8786686.html (last
`visited August 8, 2019).
`
`14
`Simon Migliano, Dark Web Market Price Index (February 2019 - UK Edition), available at
`https://www.top10vpn.com/privacy-central/privacy/dark-web-market-price-index-2019-uk-
`edition/#indextop (last visited August 8, 2019).
`
`
`9
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 12 of 27
`
`
`
`profit at the users’ expense through fraud and identity theft.
`35.
`The object of the Data Breach was not only to access and obtain user PII, but to turn
`around and profit from that PII through further fraud and identity theft. In other words, the hackers
`intentionally targeted the PII exposed, accessed, and stolen in the Data Breach in order to commit
`further fraud and identity theft.
`C.
`Epic Games’ Inadequate Data Security Allowed the Breach of Fortnite User
`Accounts
`36.
`On January 16, 2019, Epic Games acknowledged that Check Point “made [Epic
`Games] aware of vulnerabilities.”15
`37.
`Epic Games claimed that the vulnerabilities “were soon addressed.”16
`38.
`However, Epic Games did not know the origin or identity of the hackers. In fact,
`Epic Games had not fully assessed the scope of the attack – even though it represented that the
`vulnerability was fixed.17
`39.
`Between November 2018 and January 2019, Plaintiff’s debit card associated with his
`Epic Games account was, fraudulently and without his permission, charged for in-game Fortnite
`purchases as a result of the Data Breach.
`40.
`Following his discovery of the fraudulent charges, Plaintiff expended many hours
`over the course of several months attempting to remediate the damages he suffered as a result of the
`fraudulent charges and to otherwise protect his PII exposed and stolen as a result of the Data Breach.
`41.
`Unfortunately, despite numerous lapses in its approach to data security, Epic Games
`still lacks the safeguards and protections for Fortnite users’ PII, and that information remains at
`risk today and into the future, until Epic Games is compelled to secure the PII stored on millions
`
`
`15
`Jonathan Vanian, Researchers Discover Big Cybersecurity Flaw in Fortnite (Jan. 16, 2019),
`available at http://fortune.com/2019/01/16/fortnite-security-flaw-checkpoint/ (last visited August 8,
`2019).
`
`16
`
`17
`Lily Hay Newman, A Fortnite Vulnerability Exposed Accounts To Takeover (Jan. 16, 2019),
`available at https://www.wired.com/story/fortnite-vulnerability-account-takeover/ (last visited August 8,
`2019).
`
`Id.
`
`10
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 13 of 27
`
`
`
`of United States citizens who play Fortnite.
`CLASS ACTION ALLEGATIONS
`42.
`Pursuant to Rule 23(b)(2), (b)(3), and (c)(4) of the Federal Rules of Civil
`Procedure, Plaintiff, individually and on behalf of all others similarly situated, brings this lawsuit
`on behalf of himself and as a class action on behalf of the following Class and Sub-Class:
`
`Nationwide Class: All persons who registered for Epic Games
`accounts
`in
`the United States and whose PII was accessed,
`compromised, or stolen from Epic Games in the Data Breach and whose
`Epic Games accounts were subject to the terms of the Applicable EULA
`as defined infra.
`
`Missouri Sub-Class: All residents of Missouri who registered for Epic
`Games accounts and whose PII was accessed, compromised, or stolen
`from Epic Games in the Data Breach and whose Epic Games accounts
`were subject to the terms of the Applicable EULA as defined infra.
`43.
`Excluded from the Class are Defendant and any entities in which Defendant or its
`subsidiaries or affiliates have a controlling interest, and Defendant’s officers, agents, and
`employees. Also excluded from the Class are the judge assigned to this action, members of the
`judge’s staff, and any member of the judge’s immediate family. Plaintiff reserves the right to
`amend the Class and Sub-Class definition if discovery and further investigation reveal that the
`Class should be expanded or otherwise modified.
`Numerosity: The members of each Class are so numerous that joinder of all
`44.
`members of any Class would be impracticable. Plaintiff reasonably believes that Class members
`number hundreds of millions of people or more in the aggregate and well over 1,000 in the smallest
`of the classes. The names and addresses of Class members are identifiable through documents
`maintained by Defendant.
`Commonality and Predominance: This action involves common questions of law
`45.
`or fact, which predominate over any questions affecting individual Class members, including:
`
`a.
`
`Whether Defendant represented to the Class that it would safeguard Class
`members’ PII;
`
`11
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 14 of 27
`
`
`
`b.
`
`c.
`
`d.
`
`e.
`
`f.
`
`g.
`
`h.
`
`i.
`
`j.
`
`Whether Defendant owed a legal duty to Plaintiff and the Class to exercise due care
`in collecting, storing, and safeguarding their PII;
`
`Whether Defendant breached a legal duty to Plaintiff and the Class to exercise due
`care in collecting, storing, and safeguarding their PII;
`
`Whether Class members’ PII was accessed, compromised, or stolen in the Data
`Breach;
`
`Whether Defendant knew about the Data Breach before it was announced to the
`public and failed to timely notify the public of the Data Breach;
`
`Whether Defendant’s conduct was an unlawful or unfair business practice under
`N.C. Gen. Stat § 71-1.1;
`
`Whether Defendant failed to provide timely notice of the Data Breach in violation
`of N.C. Gen. Stat § 75-65;
`
`Whether Defendant’s violation of § 75-65 allowed for a private right of action under
`N.C. Gen. Stat § 71-1.1;
`
`Whether Plaintiff and the Class are entitled to equitable relief, including, but
`not limited to, injunctive relief and restitution; and
`
`Whether Plaintiff and the other Class members are entitled to actual, statutory,
`or other forms of damages, and other monetary relief.
`
`46.
`As further indication of the common questions of law, Epic Games’ Fortnite End
`User License Agreement in effect at the time of the Data Breach (the “Applicable EULA”) provides
`that “any dispute will be resolved in accordance with the laws of North Carolina.” A copy of the
`Applicable EULA is attached hereto as “Exhibit A.”
`47.
`Sometime between approximately February 7, 2019, the last time counsel for
`Plaintiff accessed the Applicable EULA, and approximately June 24, 2019, Epic Games modified
`the terms of the Applicable EULA into a new EULA (the “Current EULA”), attached hereto as
`“Exhibit B.” One such modification was the Applicable EULA’s section entitled “Class Action
`Waiver” changing to “Binding Individual Arbitration; Class Action Waiver” in the Current EULA.
`As described supra, the Class and Sub-Class only encompass persons whose Epic Games accounts
`were subject to the terms of the Applicable EULA.
`48.
`Similar or identical statutory and common law violations, business practices,
`
`12
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 15 of 27
`
`
`
`and injuries are involved. Individual questions, if any, pale by comparison, in both quantity
`and quality, to the numerous common questions that dominate this action.
`Typicality: Plaintiff’s claims are typical of the claims of the other members
`49.
`of their respective classes because, among other things, Plaintiff and the other Class members
`were injured through the substantially uniform misconduct of Defendant. Plaintiff is
`advancing the same claims and legal theories on behalf of himself and all other Class
`members, and there are no defenses that are unique to Plaintiff. The claims of Plaintiff and
`of all other Class members arise from the same operative facts and are based on the same
`legal theories.
`50. Adequacy of Representation: Plaintiff is an adequate representative of the
`classes because his interests do not conflict with the interests of the other Class members
`they seek to represent; he has retained counsel competent and experienced in complex class
`action litigation; and he will prosecute this action vigorously. The Class members’ interests
`will be fairly and adequately protected by Plaintiff and his counsel.
`Superiority: A class action is superior to any other available means for the fair and
`51.
`efficient adjudication of this controversy, and no unusual difficulties are likely to be encountered in
`the management of this matter as a class action. The damages, harm, or other financial detriment
`suffered individually by Plaintiff and the other members of his respective classes are relatively small
`compared to the burden and expense that would be required to litigate their claims on an individual
`basis against Defendant, making it impracticable for Class members to individually seek redress
`for Defendant’s wrongful conduct. Even if Class members could afford individual litigation, the
`court system could not. Individualized litigation would create a potential for inconsistent or
`co