throbber

`
`MICHAEL HEIDBREDER
`
`
`Plaintiff,
`
`vs
`EPIC GAMES, INC.,
`Defendant.
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF NORTH CAROLINA
`WESTERN DIVISION
`
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`
`Case No.:
`
`CLASS ACTION COMPLAINT
`JURY TRIAL DEMANDED
`
`
`
`
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 1 of 27
`
`

`

`
`
`TABLE OF CONTENTS
`SUMMARY OF CASE..................................................................................................... 1
`
`JURISDICTION AND VENUE ....................................................................................... 3
`
`PARTIES .......................................................................................................................... 3
`
`A.
`
`B.
`
`Plaintiff ..................................................................................................... 3
`
`Defendant .................................................................................................. 4
`
`FACTUAL BACKGROUND ........................................................................................... 4
`
`A.
`
`B.
`
`C.
`
`Epic Games Collects and Stores PII for its Own Financial Gain ............. 4
`
`PII Is Very Valuable on the Black Market................................................ 7
`
`Epic Games’ Inadequate Data Security Allowed the Breach of Fortnite
`User Accounts ......................................................................................... 10
`
`CLAIMS ALLEGED ON BEHALF OF ALL CLASSES .............................................. 15
`
`First Claim for Relief .......................................................................................... 15
`
`Second Claim for Relief ...................................................................................... 17
`
`Third Claim for Relief ........................................................................................ 18
`
`Fourth Claim for Relief ....................................................................................... 20
`
`
`
`ADDITIONAL CLAIM ALLEGED ON BEHALF OF THE MISSOURI SUB-CLASS
`ONLY ............................................................................................................................. 21
`
`Fifth Claim for Relief.......................................................................................... 21
`
`i
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 2 of 27
`
`

`

`PRAYER FOR RELIEF ................................................................................................. 23
`
`JURY TRIAL DEMANDED .......................................................................................... 24
`
`
`
`ii
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 3 of 27
`
`

`

`
`
`For his Class Action Complaint, Plaintiff Michael Heidbreder (“Plaintiff”), on behalf of
`himself and all others similarly situated, alleges the following against Defendant Epic Games, Inc.
`(“Defendant” or “Epic Games”), based on personal knowledge as to Plaintiff and Plaintiff’s own
`acts, and on information and belief as to all other matters based upon, inter alia, the investigation
`conducted by and through Plaintiff’s undersigned counsel:
`SUMMARY OF CASE
`1.
`This case involves a data breach Epic Games announced on January 16, 2019, wherein
`the personal information of 200 million Fortnite users was exposed due to a flaw in Fortnite’s code
`that allowed hackers and other nefarious users to take over player accounts and exploit their personal
`information for unsavory and illegal purposes (“Data Breach”).
`2.
`Epic Games developed and operates Fortnite, a popular battle-royale style video
`game played by approximately 80 million people per month and with approximately 200 million
`registered users across computer, console, and mobile platforms.
`3.
`As part of the sign-up process and as a consequence of playing Fortnite, users
`create, maintain, and update accounts containing personal information, including their names,
`email addresses, and credit or debit card information, referred to herein as “PII” (personally
`identifiable information).
`4.
`On January 16, 2019, Epic Games publicly acknowledged that Fortnite users’ PII
`was subject to a security breach, but did not disclose a timeframe for the Data Breach or how many
`accounts were impacted. Epic Games has not yet directly informed or notified individual Fortnite
`users that their PII may be compromised as a result of the breach. Epic Games’ acknowledgement
`only came after Check Point Software Technologies Ltd. (“Check Point”), a cybersecurity firm,
`discovered vulnerabilities in Fortnite’s web infrastructure and disclosed their findings to Epic
`Games in November of 2018.
`5.
`Fortnite’s vulnerabilities stemmed from its single sign-on (“SSO”) setup, a
`mechanism that allows users to log into multiple services with the same third-party account such
`
`1
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 4 of 27
`
`

`

`as Epic Games, Xbox, or Google. Once logged into a third-party account, users could log in and
`access their Fortnite account by requesting the third-party account send an access token1 to
`Fortnite.
`6.
`Hackers exploited the SSO by distributing phishing links over social media
`messages or forum posts claiming, inter alia, to be about a Fortnite promotion. When users
`opened the link, they were asked to log in to their Fortnite account via the SSO. But instead of
`having the third-party account send the security token to the legitimate login, hackers redirected
`those users to an old, unsecured URL maintained by Epic Games. Check Point’s research revealed
`that hackers could embed that URL with malicious JavaScript allowing them to steal Fortnite
`access tokens which they could then use to take over users’ accounts.
`7.
`As a result of Defendant’s failure to maintain adequate security measures and notify
`users of the security breach in a timely manner, Plaintiff and certain Fortnite users’ PII was
`compromised. They have suffered an ascertainable loss in that the credit or debit card information
`linked to their Fortnite accounts was stolen as a result of Defendant’s failures. Hackers used this
`information to purchase in-game Fortnite currency without the permission of the account holders,
`including Plaintiff. Hackers also used this information to steal player accounts. Some of these stolen
`accounts, once loaded up with in-game currency purchased fraudulently, were sold on third-party
`websites. The sale of Fortnite accounts on the dark web has increased recently,2 with accounts selling
`for an average of approximately $11.29.3 Furthermore, Plaintiff and the other impacted Fortnite users
`must undertake additional security measures, some at their own expense, to minimize the risk of
`
`
`1
`Access tokens are the equivalent of digital keys that allow users logged into third-party accounts
`to use those accounts as a verification to log in to their Fortnite accounts.
`
`Antony Cuthbertson, Fortnite, Netflix and Uber Accounts Being Sold For Just £8 on the Dark
`
`Web (Feb. 19, 2019), available at https://www.independent.co.uk/life-style/gadgets-and-
`tech/news/fortnite-account-sale-dark-web-price-index-netflix-uber-cyber-crime-a8786686.html (last
`visited August 8, 2019).
`
` 2
`
`3
`Simon Migliano, Dark Web Market Price Index (February 2019 - UK Edition), available at
`https://www.top10vpn.com/privacy-central/privacy/dark-web-market-price-index-2019-uk-
`edition/#indextop (last visited August 8, 2019).
`
`2
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 5 of 27
`
`

`

`future data breaches including, without limitation, canceling credit or debit cards associated with
`their Fortnite and/or Epic Games accounts and changing their passwords to those accounts. But there
`is no guarantee that such security measures will in fact adequately protect their PII. As such, Plaintiff
`and the other Class members have an ongoing interest in ensuring that their PII is protected from
`past and future cybersecurity threats.
`8.
`This Class Action Complaint is filed on behalf of all persons in the United States
`described more fully in the following sections, whose PII was compromised in the Data Breach.
`JURISDICTION AND VENUE
`9.
`This Court has jurisdiction over this action pursuant to the Class Action
`Fairness Act (“CAFA”), 28 U.S.C. § 1332(d), because the aggregate amount in controversy
`exceeds $5,000,000, exclusive of interests and costs, there are more than 100 class members, and
`at least one class member is a citizen of a state different from Defendant and is a citizen of a
`foreign state. The Court also has supplemental jurisdiction over the state law claims pursuant to
`28 U.S.C. § 1367.
`10.
`Venue is proper under 28 U.S.C. § 1391(c) because Defendant is a corporation
`that does business in and is subject to personal jurisdiction in this District. Venue is also proper
`because a substantial part of the events or omissions giving rise to the claims in this action occurred
`in or emanated from this District, including the decisions made by Epic Games’ governance and
`management personnel that led to the Data Breach. Further, Epic Games’ terms of service governing
`users in the United States provides for venue in North Carolina for all claims arising out of
`Plaintiff’s relationship with Epic Games.
`
`PARTIES
`
`A.
`Plaintiff
`11.
`Plaintiff Michael Heidbreder is an adult individual residing in the State of Missouri.
`12.
`At all relevant times, Plaintiff had an Epic Games account, was a Fortnite user, and
`had a debit card linked to his Epic Games account.
`
`3
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 6 of 27
`
`

`

`B.
`Defendant
`13.
`Defendant Epic Games, Inc. is a Maryland corporation with its principal executive
`offices located at 620 Crossroads Boulevard, Cary, North Carolina 27518.
`14.
`At all relevant times, Defendant was and is engaged in the business of developing
`and operating video games, websites, and mobile applications in Wake County and throughout the
`United States of America.
`
`FACTUAL BACKGROUND
`A.
`Epic Games Collects and Stores PII for its Own Financial Gain
`15.
`The majority of Epic Games’ revenue comes from sales associated with its Fortnite
`video game. In 2018, Fortnite accounted for $2.4 billion of Epic Games’ revenue, “ʻthe most annual
`revenue of any [video] game in history.ʼ”4
`16. While Fortnite’s “Battle Royale” mode can be downloaded and played for free, users
`have the option of purchasing a “Battle Pass” each “Season” that allows access to exclusive in-game
`content for Battle Royale mode. Users can also purchase “PVE [player versus environment]
`Campaign Packs” ranging in price from approximately $40.00 to $150.00.
`17.
`To purchase in-game content, Fortnite users must add a credit or debit card to their
`account. This card information is then stored under the supervision and care of Epic Games.
`18.
`Regardless of whether a user purchases in-game content, they are still required to
`provide PII, including their full name and a valid email address.
`19.
`Despite the fact that the majority of Epic Games’ revenue comes from charges to
`credit and debit cards under its protection, on information and belief, Defendant failed, and
`continues to fail, to provide adequate protection for Fortnite users’ personal and confidential
`information and has egregiously failed to provide sufficient and timely notice or warning of
`potential and actual cybersecurity breaches to Fortnite users.
`
`4
`Matthew Handrahan, Fortnite tops SuperData’s 2018 chart with $2.4 billion digital revenue (Jan.
`16, 2019), available at https://www.gamesindustry.biz/articles/2019-01-16-fortnite-tops-2018-superdata-
`chart-with-usd2-4b-digital-revenue (last visited August 8, 2019).
`
`
`4
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 7 of 27
`
`

`

`20.
`Upon information and belief, information as to whose accounts were exposed and
`whose PII was accessed without authorization as a result of the Data Breach is within Epic Games’
`exclusive control. Epic Games knows where accounts were logged-in from, where access tokens
`originated from and were sent, what type of device was used to log in to accounts, and what
`activity, fraudulent or otherwise, occurred on accounts.
`21.
`At all relevant times, Epic Games has assured Fortnite users that their privacy and
`security are of utmost importance to it, and Fortnite users have relied on those assurances in
`providing Epic Games with their PII. In fact, under a section of Epic Games’ privacy policy entitled
`“How We Protect Personal Information,” Epic Games provides that:
`We maintain appropriate administrative, technical, and physical safeguards
`to protect your personal information from accidental, unlawful, or unauthorized
`destruction, loss, alteration, access, disclosure, or use and other unlawful forms of
`processing. In some cases, your information is accessible when you log into a feature
`we offer, and in those cases you need to keep your user credentials and password
`confidential and secure so that your information is protected.5
`
`22.
`Epic Games failed to provide the security it promised to Fortnite users prior to the
`Data Breach, including that it “maintain[ed] appropriate administrative, technical, and physical
`safeguards to protect your personal information from accidental, unlawful, or unauthorized
`destruction, loss, alteration, access, disclosure, or use and other unlawful forms of processing.”
`23.
`Despite these assurances, Epic Games was forced to publicly reveal on January 16,
`2019 that Fortnite users’ personal information was subject to a data breach. According to media
`outlet reports, Check Point informed Defendant of the vulnerabilities in Fortnite’s web
`infrastructure as early as November of 2018,6 but Defendant still has not yet directly informed or
`
`5
`Epic Games Global Privacy Policy (last updated Dec. 19, 2018), available at
`https://www.epicgames.com/site/en-US/privacypolicy (last visited August 8, 2019).
`
` 6
`
` Jonathan Vanian, Researchers Discover Big Cybersecurity Flaw in Fortnite (Jan. 16, 2019),
`available at
`http://fortune.com/2019/01/16/fortnite-security-flaw-checkpoint/ (last visited August 8,
`2019); Lily Hay Newman, A Fortnite Vulnerability Exposed Accounts to Takeover (Jan. 16, 2019),
`available at https://www.wired.com/story/fortnite-vulnerability-account-takeover/ (last visited August 8,
`2019).
`
`
`
`5
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 8 of 27
`
`

`

`notified Fortnite users that their PII may have been and may continue to be compromised as a
`result of the Data Breach. Nor has Defendant disclosed when the vulnerability in Fortnite’s code
`was introduced, how long hackers have had access to Fortnite users’ PII, or how many user
`accounts were affected by the Data Breach.
`24.
`The insufficient security policies and procedures implemented by Defendant is a
`material fact that a reasonable consumer would consider when deciding whether to create an
`Epic Games or Fortnite account and to provide Defendant with personal and confidential
`information. Had Plaintiff and the other Class members known that Defendant failed to employ
`necessary and adequate protection of their personal information, they would not have created an
`Epic Games or Fortnite account, or they would have limited the PII they shared with Epic Games.
`Plaintiff and the other Class members should have been able to rely upon Epic Games’ Privacy
`Policy ensuring that “We maintain appropriate administrative, technical, and physical safeguards to
`protect your personal information from accidental, unlawful, or unauthorized destruction, loss,
`alteration, access, disclosure, or use and other unlawful forms of processing.”7
`25.
`This case involves the continuing and absolute disregard with which Defendant
`has chosen to treat the PII of account holders who played Fortnite. While this information was
`supposed to be protected, Epic Games – without authorization – exposed that information to third
`parties through lax and non-existent data safety and security policies and protocols.
`26.
`In addition, Epic Games made the following representations to Fortnite users:
`
` “We are required to seek your consent before we use your personal information for any
`purpose incompatible with the purposes identified in this policy.”8
`
` “We provide you with choices about whether to provide us with personal information
`and whether it is shared.”9
`
`7
`Epic Games Global Privacy Policy (last updated Dec. 19, 2018), available at
`https://www.epicgames.com/site/en-US/privacypolicy (last visited August 8, 2019).
`
`
`
`
`
`Id.
`
`Id.
`
`6
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 9 of 27
`
` 8
`
` 9
`
`
`
`

`

`27.
`At all relevant times, Epic Games has maintained a Privacy Policy on its website
`which advised Fortnite users, in part:
`
`As a general matter, we use your information to provide the services,
`experiences, merchandise, or information you request. We also may use your
`information for the following purposes.
`1. For our legitimate interests, consistent with your rights and preferences,
`we use personal data:
` To communicate with you, respond to your requests, or provide
`you with updates and information;
` To better understand our users, their interests, and their
`preferences;
` To personalize your experience, save your preferences,
`authenticate our users, and provide similar user-experience
`features;
` To develop, deliver, and improve our products, services, and other
`offerings, some of which may be offered in partnership with other
`parties;
` To manage and customize advertisements or promotional offers;
` For security purposes;
` For internal purposes such as auditing and data analysis.
`2. To provide services that are subject to terms you have accepted, such as
`enforcing our licenses, agreements, and terms of service, which may
`include reasonable monitoring to detect and prevent misuse or fraud and
`to keep our games fair for all users.
`3. To the extent you give consent, such as when we would like to process
`your personal information for a purpose that would otherwise be
`incompatible with this policy.
`4. To comply with legal obligations.
`
` (Emphases added).10
`B.
`PII Is Very Valuable on the Black Market
`28.
`The types of information compromised in the Data Breach are highly valuable to
`cybercriminals. The names, email addresses, passwords, security question answers, and credit and
`
`
`10
`Id.
`
`
`7
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 10 of 27
`
`

`

`debit card PII can all be used to gain access to a variety of existing accounts and websites and
`defraud Fortnite users of money and property.
`29.
`Identity thieves can also use the PII to harm Plaintiff and the other Class members
`through embarrassment, blackmail, or harassment in person or online, or to commit other types of
`fraud including obtaining ID cards or driver’s licenses, fraudulently obtaining tax returns and
`refunds, and obtaining government benefits. A Presidential Report on identity theft from 2008 states
`that:
`
`In addition to the losses that result when identity thieves fraudulently open
`accounts or misuse existing accounts, . . . individual victims often suffer indirect
`financial costs, including the costs incurred in both civil litigation initiated by
`creditors and in overcoming the many obstacles they face in obtaining or retaining
`credit. Victims of non-financial identity theft, for example, health-related or
`criminal record fraud, face other types of harm and frustration.
`
`In addition to out-of-pocket expenses that can reach thousands of dollars for
`the victims of new account identity theft, and the emotional toll identity theft can
`take, some victims have to spend what can be a considerable amount of time to
`repair the damage caused by the identity thieves. Victims of new account identity
`theft, for example, must correct fraudulent information in their credit reports and
`monitor their reports for future inaccuracies, close existing bank accounts and open
`new ones, and dispute charges with individual creditors.11
`30.
`To put it into context, the 2013 Norton Report – based on one of the largest
`consumer cybercrime studies ever conducted – estimated that the global price tag of cybercrime
`was around $113 billion at that time, with the average cost per victim being $298 dollars. That
`number no doubt increased after the PII of Plaintiff and the other Class members was leaked in the
`Data Breach.
`31.
`The problems associated with identity theft are exacerbated by the fact that
`many cybercriminals will wait years before attempting to use the PII they have obtained. Indeed,
`in order to protect themselves, Plaintiff and the other Class members will need to remain vigilant
`
`
`11
`The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, Federal
`Trade Commission, (April 2007), available at
`http://www.ftc.gov/sites/default/files/documents/reports/combating-identity-theft-strategic-
`plan/strategicplan.pdf (last visited August 8, 2019).
`
`8
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 11 of 27
`
`

`

`against unauthorized data use for years and decades to come.
`32.
`Once stolen, PII can be used in a number of different ways. One of the most
`common is that it is offered for sale on the “dark web,” a heavily encrypted part of the Internet that
`makes it difficult for authorities to detect the location or owners of a website. The dark web is not
`indexed by normal search engines such as Google and is only accessible using a Tor browser (or
`similar tool) which aims to conceal users’ identities and online activity. The dark web is notorious
`for hosting marketplaces selling illegal items such as weapons, drugs, and PII.12 Websites appear
`and disappear quickly, making it a very dynamic environment.
`33.
`Once someone buys PII, it is then used to gain access to different areas of the victim’s
`digital life, including bank accounts, social media, and credit card details. During that process, other
`sensitive data may be harvested from the victim’s accounts, as well as from those belonging to
`family, friends, and colleagues.
`34.
`In addition to PII, a hacked Fortnite account can be very valuable to cybercriminals
`because they are able to access credit or debit card information associated with the account. Once
`that card information is accessed, cybercriminals can and did purchase in-game Fortnite currency
`and other content, sold the Fortnite account and in-game purchases on the dark web and other places,
`like eBay, and/or used that information to make fraudulent purchases from third-parties. Sales of
`Fortnite accounts on the dark web have increased recently13 with accounts selling for an average of
`approximately $11.29.14 In other words, cybercriminals specifically targeted Fortnite user PII to
`
`
`12
`Brian Hamrick, The dark web: A trip into the underbelly of the internet (Feb. 9, 2017), available
`at https://www.wlwt.com/article/the-dark-web-a-trip-into-the-underbelly-of-the-internet/8698419 (last
`visited August 8, 2019).
`
`13
`Anthony Cuthbertson, Fortnite, Netflix and Uber Accounts Being Sold for Just £8 on the Dark
`Web (Feb. 19. 2019), available at https://www.independent.co.uk/life-style/gadgets-and-
`tech/news/fortnite-account-sale-dark-web-price-index-netflix-uber-cyber-crime-a8786686.html (last
`visited August 8, 2019).
`
`14
`Simon Migliano, Dark Web Market Price Index (February 2019 - UK Edition), available at
`https://www.top10vpn.com/privacy-central/privacy/dark-web-market-price-index-2019-uk-
`edition/#indextop (last visited August 8, 2019).
`
`
`9
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 12 of 27
`
`

`

`profit at the users’ expense through fraud and identity theft.
`35.
`The object of the Data Breach was not only to access and obtain user PII, but to turn
`around and profit from that PII through further fraud and identity theft. In other words, the hackers
`intentionally targeted the PII exposed, accessed, and stolen in the Data Breach in order to commit
`further fraud and identity theft.
`C.
`Epic Games’ Inadequate Data Security Allowed the Breach of Fortnite User
`Accounts
`36.
`On January 16, 2019, Epic Games acknowledged that Check Point “made [Epic
`Games] aware of vulnerabilities.”15
`37.
`Epic Games claimed that the vulnerabilities “were soon addressed.”16
`38.
`However, Epic Games did not know the origin or identity of the hackers. In fact,
`Epic Games had not fully assessed the scope of the attack – even though it represented that the
`vulnerability was fixed.17
`39.
`Between November 2018 and January 2019, Plaintiff’s debit card associated with his
`Epic Games account was, fraudulently and without his permission, charged for in-game Fortnite
`purchases as a result of the Data Breach.
`40.
`Following his discovery of the fraudulent charges, Plaintiff expended many hours
`over the course of several months attempting to remediate the damages he suffered as a result of the
`fraudulent charges and to otherwise protect his PII exposed and stolen as a result of the Data Breach.
`41.
`Unfortunately, despite numerous lapses in its approach to data security, Epic Games
`still lacks the safeguards and protections for Fortnite users’ PII, and that information remains at
`risk today and into the future, until Epic Games is compelled to secure the PII stored on millions
`
`
`15
`Jonathan Vanian, Researchers Discover Big Cybersecurity Flaw in Fortnite (Jan. 16, 2019),
`available at http://fortune.com/2019/01/16/fortnite-security-flaw-checkpoint/ (last visited August 8,
`2019).
`
`16
`
`17
`Lily Hay Newman, A Fortnite Vulnerability Exposed Accounts To Takeover (Jan. 16, 2019),
`available at https://www.wired.com/story/fortnite-vulnerability-account-takeover/ (last visited August 8,
`2019).
`
`Id.
`
`10
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 13 of 27
`
`

`

`of United States citizens who play Fortnite.
`CLASS ACTION ALLEGATIONS
`42.
`Pursuant to Rule 23(b)(2), (b)(3), and (c)(4) of the Federal Rules of Civil
`Procedure, Plaintiff, individually and on behalf of all others similarly situated, brings this lawsuit
`on behalf of himself and as a class action on behalf of the following Class and Sub-Class:
`
`Nationwide Class: All persons who registered for Epic Games
`accounts
`in
`the United States and whose PII was accessed,
`compromised, or stolen from Epic Games in the Data Breach and whose
`Epic Games accounts were subject to the terms of the Applicable EULA
`as defined infra.
`
`Missouri Sub-Class: All residents of Missouri who registered for Epic
`Games accounts and whose PII was accessed, compromised, or stolen
`from Epic Games in the Data Breach and whose Epic Games accounts
`were subject to the terms of the Applicable EULA as defined infra.
`43.
`Excluded from the Class are Defendant and any entities in which Defendant or its
`subsidiaries or affiliates have a controlling interest, and Defendant’s officers, agents, and
`employees. Also excluded from the Class are the judge assigned to this action, members of the
`judge’s staff, and any member of the judge’s immediate family. Plaintiff reserves the right to
`amend the Class and Sub-Class definition if discovery and further investigation reveal that the
`Class should be expanded or otherwise modified.
`Numerosity: The members of each Class are so numerous that joinder of all
`44.
`members of any Class would be impracticable. Plaintiff reasonably believes that Class members
`number hundreds of millions of people or more in the aggregate and well over 1,000 in the smallest
`of the classes. The names and addresses of Class members are identifiable through documents
`maintained by Defendant.
`Commonality and Predominance: This action involves common questions of law
`45.
`or fact, which predominate over any questions affecting individual Class members, including:
`
`a.
`
`Whether Defendant represented to the Class that it would safeguard Class
`members’ PII;
`
`11
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 14 of 27
`
`

`

`b.
`
`c.
`
`d.
`
`e.
`
`f.
`
`g.
`
`h.
`
`i.
`
`j.
`
`Whether Defendant owed a legal duty to Plaintiff and the Class to exercise due care
`in collecting, storing, and safeguarding their PII;
`
`Whether Defendant breached a legal duty to Plaintiff and the Class to exercise due
`care in collecting, storing, and safeguarding their PII;
`
`Whether Class members’ PII was accessed, compromised, or stolen in the Data
`Breach;
`
`Whether Defendant knew about the Data Breach before it was announced to the
`public and failed to timely notify the public of the Data Breach;
`
`Whether Defendant’s conduct was an unlawful or unfair business practice under
`N.C. Gen. Stat § 71-1.1;
`
`Whether Defendant failed to provide timely notice of the Data Breach in violation
`of N.C. Gen. Stat § 75-65;
`
`Whether Defendant’s violation of § 75-65 allowed for a private right of action under
`N.C. Gen. Stat § 71-1.1;
`
`Whether Plaintiff and the Class are entitled to equitable relief, including, but
`not limited to, injunctive relief and restitution; and
`
`Whether Plaintiff and the other Class members are entitled to actual, statutory,
`or other forms of damages, and other monetary relief.
`
`46.
`As further indication of the common questions of law, Epic Games’ Fortnite End
`User License Agreement in effect at the time of the Data Breach (the “Applicable EULA”) provides
`that “any dispute will be resolved in accordance with the laws of North Carolina.” A copy of the
`Applicable EULA is attached hereto as “Exhibit A.”
`47.
`Sometime between approximately February 7, 2019, the last time counsel for
`Plaintiff accessed the Applicable EULA, and approximately June 24, 2019, Epic Games modified
`the terms of the Applicable EULA into a new EULA (the “Current EULA”), attached hereto as
`“Exhibit B.” One such modification was the Applicable EULA’s section entitled “Class Action
`Waiver” changing to “Binding Individual Arbitration; Class Action Waiver” in the Current EULA.
`As described supra, the Class and Sub-Class only encompass persons whose Epic Games accounts
`were subject to the terms of the Applicable EULA.
`48.
`Similar or identical statutory and common law violations, business practices,
`
`12
`Case 5:19-cv-00348-BO Document 1 Filed 08/08/19 Page 15 of 27
`
`

`

`and injuries are involved. Individual questions, if any, pale by comparison, in both quantity
`and quality, to the numerous common questions that dominate this action.
`Typicality: Plaintiff’s claims are typical of the claims of the other members
`49.
`of their respective classes because, among other things, Plaintiff and the other Class members
`were injured through the substantially uniform misconduct of Defendant. Plaintiff is
`advancing the same claims and legal theories on behalf of himself and all other Class
`members, and there are no defenses that are unique to Plaintiff. The claims of Plaintiff and
`of all other Class members arise from the same operative facts and are based on the same
`legal theories.
`50. Adequacy of Representation: Plaintiff is an adequate representative of the
`classes because his interests do not conflict with the interests of the other Class members
`they seek to represent; he has retained counsel competent and experienced in complex class
`action litigation; and he will prosecute this action vigorously. The Class members’ interests
`will be fairly and adequately protected by Plaintiff and his counsel.
`Superiority: A class action is superior to any other available means for the fair and
`51.
`efficient adjudication of this controversy, and no unusual difficulties are likely to be encountered in
`the management of this matter as a class action. The damages, harm, or other financial detriment
`suffered individually by Plaintiff and the other members of his respective classes are relatively small
`compared to the burden and expense that would be required to litigate their claims on an individual
`basis against Defendant, making it impracticable for Class members to individually seek redress
`for Defendant’s wrongful conduct. Even if Class members could afford individual litigation, the
`court system could not. Individualized litigation would create a potential for inconsistent or
`co

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket